Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-1962 (GCVE-0-2022-1962)
Vulnerability from cvelistv5 – Published: 2022-08-09 20:18 – Updated: 2026-03-06 19:08
VLAI
EPSS
Title
Stack exhaustion due to deeply nested types in go/parser
Summary
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
Severity
5.5 (Medium)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | go/parser |
Affected:
0 , < 1.17.12
(semver)
Affected: 1.18.0-0 , < 1.18.4 (semver) |
Credits
Juho Nurminen of Mattermost
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/417063"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/53616"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0515"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-1962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T19:32:02.875913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T19:08:08.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "go/parser",
"product": "go/parser",
"programRoutines": [
{
"name": "ParseFile"
},
{
"name": "ParseExprFrom"
},
{
"name": "parser.tryIdentOrType"
},
{
"name": "parser.parsePrimaryExpr"
},
{
"name": "parser.parseUnaryExpr"
},
{
"name": "parser.parseBinaryExpr"
},
{
"name": "parser.parseIfStmt"
},
{
"name": "parser.parseStmt"
},
{
"name": "resolver.openScope"
},
{
"name": "resolver.closeScope"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.17.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.18.4",
"status": "affected",
"version": "1.18.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Nurminen of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T19:04:29.406Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/417063"
},
{
"url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879"
},
{
"url": "https://go.dev/issue/53616"
},
{
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-0515"
}
],
"title": "Stack exhaustion due to deeply nested types in go/parser"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-1962",
"datePublished": "2022-08-09T20:18:18.000Z",
"dateReserved": "2022-05-31T00:00:00.000Z",
"dateUpdated": "2026-03-06T19:08:08.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-1962",
"date": "2026-05-31",
"epss": "5e-05",
"percentile": "0.00296"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-1962\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2022-08-10T20:15:26.250\",\"lastModified\":\"2026-03-06T20:16:09.373\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.\"},{\"lang\":\"es\",\"value\":\"Una recursi\u00f3n no controlada en las funciones Parse en go/parser versiones anteriores a Go 1.17.12 y Go 1.18.4, permite a un atacante causar un p\u00e1nico debido al agotamiento de la pila por medio de tipos o declaraciones profundamente anidados\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.17.12\",\"matchCriteriaId\":\"646881F6-A299-4D92-A1F3-E95959FA426F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.18.0\",\"versionEndExcluding\":\"1.18.4\",\"matchCriteriaId\":\"FE088A2D-7894-4A48-887C-36DD727A7BEB\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/417063\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://go.dev/issue/53616\",\"source\":\"security@golang.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE\",\"source\":\"security@golang.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2022-0515\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://go.dev/cl/417063\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://go.dev/issue/53616\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2022-0515\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://go.dev/cl/417063\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://go.dev/issue/53616\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://pkg.go.dev/vuln/GO-2022-0515\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T00:24:43.737Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-1962\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-24T19:32:02.875913Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T19:07:41.231Z\"}}], \"cna\": {\"title\": \"Stack exhaustion due to deeply nested types in go/parser\", \"credits\": [{\"lang\": \"en\", \"value\": \"Juho Nurminen of Mattermost\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"go/parser\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.17.12\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.18.0-0\", \"lessThan\": \"1.18.4\", \"versionType\": \"semver\"}], \"packageName\": \"go/parser\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"ParseFile\"}, {\"name\": \"ParseExprFrom\"}, {\"name\": \"parser.tryIdentOrType\"}, {\"name\": \"parser.parsePrimaryExpr\"}, {\"name\": \"parser.parseUnaryExpr\"}, {\"name\": \"parser.parseBinaryExpr\"}, {\"name\": \"parser.parseIfStmt\"}, {\"name\": \"parser.parseStmt\"}, {\"name\": \"resolver.openScope\"}, {\"name\": \"resolver.closeScope\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/417063\"}, {\"url\": \"https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879\"}, {\"url\": \"https://go.dev/issue/53616\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2022-0515\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-674: Uncontrolled Recursion\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2023-06-12T19:04:29.406Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-1962\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T19:08:08.543Z\", \"dateReserved\": \"2022-05-31T00:00:00.000Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2022-08-09T20:18:18.000Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
alsa-2022:5775
Vulnerability from osv_almalinux
Published
2022-08-01 00:00
Modified
2022-08-05 16:43
Summary
Important: go-toolset:rhel8 security and bug fix update
Details
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es): * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) * golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131) * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630) * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632) * golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Clean up dist-git patches (BZ#2110942) * Update Go to version 1.17.12 (BZ#2110943)
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "delve"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.2-1.module_el8.6.0+2736+ec10aba8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "go-toolset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.module_el8.6.0+3065+e17ed2d4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "golang"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.module_el8.6.0+3065+e17ed2d4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "golang-bin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.module_el8.6.0+3065+e17ed2d4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "golang-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.module_el8.6.0+3065+e17ed2d4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "golang-misc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.module_el8.6.0+3065+e17ed2d4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "golang-race"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.module_el8.6.0+3065+e17ed2d4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "golang-src"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.module_el8.6.0+3065+e17ed2d4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "golang-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.module_el8.6.0+3065+e17ed2d4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \nSecurity Fix(es):\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nBug Fix(es):\n* Clean up dist-git patches (BZ#2110942)\n* Update Go to version 1.17.12 (BZ#2110943)",
"id": "ALSA-2022:5775",
"modified": "2022-08-05T16:43:29Z",
"published": "2022-08-01T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:5775"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107342"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107371"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107374"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107376"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107383"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107386"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107388"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107390"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107392"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2022-5775.html"
}
],
"related": [
"CVE-2022-30631",
"CVE-2022-1705",
"CVE-2022-1962",
"CVE-2022-28131",
"CVE-2022-30630",
"CVE-2022-30632",
"CVE-2022-30633",
"CVE-2022-30635",
"CVE-2022-32148"
],
"summary": "Important: go-toolset:rhel8 security and bug fix update"
}
alsa-2022:5799
Vulnerability from osv_almalinux
Published
2022-08-01 00:00
Modified
2022-08-05 15:29
Summary
Important: go-toolset and golang security and bug fix update
Details
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix(es): * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) * golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131) * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630) * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632) * golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Clean up dist-git patches (BZ#2109174) * Update Go to version 1.17.12 (BZ#2109183)
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "golang"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.el9_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "golang-bin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.el9_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "golang-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.el9_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "golang-misc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.el9_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "golang-race"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.el9_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "golang-src"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.el9_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "golang-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12-1.el9_0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \nThe golang packages provide the Go programming language compiler.\nSecurity Fix(es):\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nBug Fix(es):\n* Clean up dist-git patches (BZ#2109174)\n* Update Go to version 1.17.12 (BZ#2109183)",
"id": "ALSA-2022:5799",
"modified": "2022-08-05T15:29:10Z",
"published": "2022-08-01T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:5799"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107342"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107371"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107374"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107376"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107383"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107386"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107388"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107390"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107392"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2022-5799.html"
}
],
"related": [
"CVE-2022-30631",
"CVE-2022-1705",
"CVE-2022-1962",
"CVE-2022-28131",
"CVE-2022-30630",
"CVE-2022-30632",
"CVE-2022-30633",
"CVE-2022-30635",
"CVE-2022-32148"
],
"summary": "Important: go-toolset and golang security and bug fix update"
}
alsa-2022:7519
Vulnerability from osv_almalinux
Published
2022-11-08 00:00
Modified
2022-11-12 01:59
Summary
Moderate: grafana security, bug fix, and enhancement update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
The following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055348)
Security Fix(es):
- sanitize-url: XSS due to improper sanitization in sanitizeUrl function (CVE-2021-23648)
- golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
- golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
- grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)
- prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
- grafana: XSS vulnerability in data source handling (CVE-2022-21702)
- grafana: CSRF vulnerability can lead to privilege escalation (CVE-2022-21703)
- grafana: IDOR vulnerability can lead to information disclosure (CVE-2022-21713)
- golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
- golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
- golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
- golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
- golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
- golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.15-3.el8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nThe following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055348)\n\nSecurity Fix(es):\n\n* sanitize-url: XSS due to improper sanitization in sanitizeUrl function (CVE-2021-23648)\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)\n* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)\n* grafana: XSS vulnerability in data source handling (CVE-2022-21702)\n* grafana: CSRF vulnerability can lead to privilege escalation (CVE-2022-21703)\n* grafana: IDOR vulnerability can lead to information disclosure (CVE-2022-21713)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2022:7519",
"modified": "2022-11-12T01:59:13Z",
"published": "2022-11-08T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:7519"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-23648"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21673"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21698"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21702"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21703"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21713"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2044628"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2045880"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2050648"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2050742"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2050743"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2065290"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107342"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107371"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107374"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107376"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107383"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107386"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107388"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107390"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107392"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2022-7519.html"
}
],
"related": [
"CVE-2021-23648",
"CVE-2022-1705",
"CVE-2022-1962",
"CVE-2022-21673",
"CVE-2022-21698",
"CVE-2022-21702",
"CVE-2022-21703",
"CVE-2022-21713",
"CVE-2022-28131",
"CVE-2022-30630",
"CVE-2022-30631",
"CVE-2022-30632",
"CVE-2022-30633",
"CVE-2022-30635",
"CVE-2022-32148"
],
"summary": "Moderate: grafana security, bug fix, and enhancement update"
}
alsa-2022:7529
Vulnerability from osv_almalinux
Published
2022-11-08 00:00
Modified
2023-01-03 12:15
Summary
Moderate: container-tools:3.0 security update
Details
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
- golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
- cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)
- golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
- prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
- golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
- golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
- golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
- golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
- golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.9-6.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.9-6.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "cockpit-podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "29-2.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "conmon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.0.26-3.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.189.0-1.module_el8.7.0+3406+a17c4180"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.189.0-1.module_el8.6.0+3336+00d107d5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.189.0-1.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containernetworking-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containernetworking-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containers-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.2.4-2.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crun"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.18-3.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crun"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.18-3.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "fuse-overlayfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0-2.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "fuse-overlayfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0-2.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "oci-seccomp-bpf-hook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-3.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "oci-seccomp-bpf-hook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-3.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-catatonit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-docker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-remote"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-73.rc95.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-73.rc95.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.2.4-2.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.2.4-2.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "udica"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.4-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2022:7529",
"modified": "2023-01-03T12:15:28Z",
"published": "2022-11-08T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:7529"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1708"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21698"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2045880"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2085361"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107342"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107371"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107374"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107376"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107383"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107386"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107390"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107392"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2022-7529.html"
}
],
"related": [
"CVE-2022-1705",
"CVE-2022-1708",
"CVE-2022-1962",
"CVE-2022-21698",
"CVE-2022-28131",
"CVE-2022-30630",
"CVE-2022-30631",
"CVE-2022-30632",
"CVE-2022-30633",
"CVE-2022-32148"
],
"summary": "Moderate: container-tools:3.0 security update"
}
alsa-2022:8057
Vulnerability from osv_almalinux
Published
2022-11-15 00:00
Modified
2022-11-18 04:52
Summary
Important: grafana security, bug fix, and enhancement update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
The following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055349)
Security Fix(es):
- sanitize-url: XSS due to improper sanitization in sanitizeUrl function (CVE-2021-23648)
- golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
- golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
- grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)
- prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
- grafana: XSS vulnerability in data source handling (CVE-2022-21702)
- grafana: CSRF vulnerability can lead to privilege escalation (CVE-2022-21703)
- grafana: IDOR vulnerability can lead to information disclosure (CVE-2022-21713)
- golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
- golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
- golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
- golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
- golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
- golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.15-3.el9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nThe following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055349)\n\nSecurity Fix(es):\n\n* sanitize-url: XSS due to improper sanitization in sanitizeUrl function (CVE-2021-23648)\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)\n* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)\n* grafana: XSS vulnerability in data source handling (CVE-2022-21702)\n* grafana: CSRF vulnerability can lead to privilege escalation (CVE-2022-21703)\n* grafana: IDOR vulnerability can lead to information disclosure (CVE-2022-21713)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2022:8057",
"modified": "2022-11-18T04:52:36Z",
"published": "2022-11-15T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:8057"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-23648"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21673"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21698"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21702"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21703"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21713"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2044628"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2045880"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2050648"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2050742"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2050743"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2065290"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107342"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107371"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107374"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107376"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107383"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107386"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107388"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107390"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107392"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2022-8057.html"
}
],
"related": [
"CVE-2021-23648",
"CVE-2022-1705",
"CVE-2022-1962",
"CVE-2022-21673",
"CVE-2022-21698",
"CVE-2022-21702",
"CVE-2022-21703",
"CVE-2022-21713",
"CVE-2022-28131",
"CVE-2022-30630",
"CVE-2022-30631",
"CVE-2022-30632",
"CVE-2022-30633",
"CVE-2022-30635",
"CVE-2022-32148"
],
"summary": "Important: grafana security, bug fix, and enhancement update"
}
alsa-2023:2758
Vulnerability from osv_almalinux
Published
2023-05-16 00:00
Modified
2023-05-22 10:20
Summary
Moderate: container-tools:rhel8 security, bug fix, and enhancement update
Details
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
- golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
- golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
- golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
- golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
- golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
- golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
- golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
- golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
- golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
- golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
- podman: symlink exchange attack in podman export volume (CVE-2023-0778)
- golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
- golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aardvark-dns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.5.0-2.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.29.1-1.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.29.1-1.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "cockpit-podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "63.1-1.module_el8.8.0+3557+7ba9cc13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "conmon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:2.1.6-1.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.205.0-2.module_el8.8.0+3557+7ba9cc13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containernetworking-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.2.0-1.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containers-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1-63.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crun"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-2.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "fuse-overlayfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10-1.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "netavark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.5.0-4.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "oci-seccomp-bpf-hook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.8-1.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-catatonit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-docker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-gvproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-remote"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.1-1.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.4-1.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.11.2-0.2.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.11.2-0.2.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-2.module_el8.7.0+3407+95aa0ca9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-7.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-7.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "udica"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.6-20.module_el8.8.0+3470+252b1910"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n* podman: symlink exchange attack in podman export volume (CVE-2023-0778)\n* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2023:2758",
"modified": "2023-05-22T10:20:38Z",
"published": "2023-05-16T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2023:2758"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30629"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32189"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-0778"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2092793"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107342"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107371"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107374"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107376"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107383"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107386"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107388"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107390"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107392"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2113814"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2124669"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2161274"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2168256"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2023-2758.html"
}
],
"related": [
"CVE-2022-1705",
"CVE-2022-1962",
"CVE-2022-27664",
"CVE-2022-28131",
"CVE-2022-30630",
"CVE-2022-30631",
"CVE-2022-30632",
"CVE-2022-30633",
"CVE-2022-30635",
"CVE-2022-32148",
"CVE-2022-41717",
"CVE-2023-0778",
"CVE-2022-30629",
"CVE-2022-32189"
],
"summary": "Moderate: container-tools:rhel8 security, bug fix, and enhancement update"
}
alsa-2023:2802
Vulnerability from osv_almalinux
Published
2023-05-16 00:00
Modified
2023-05-19 22:13
Summary
Moderate: container-tools:4.0 security and bug fix update
Details
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
- golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
- golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
- golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
- golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
- golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
- golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
- golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
- golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
- golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
- golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
- podman: symlink exchange attack in podman export volume (CVE-2023-0778)
- podman: possible information disclosure and modification (CVE-2022-2989)
- golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aardvark-dns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.0.1-37.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.24.6-5.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.24.6-5.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "cockpit-podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "46-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "conmon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.1.4-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.199.0-1.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containernetworking-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.1-2.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containers-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1-37.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crun"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-1.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "fuse-overlayfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "netavark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.0.1-37.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "oci-seccomp-bpf-hook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.5-2.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-20.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-catatonit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-20.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-docker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-20.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-gvproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-20.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-20.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-remote"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-20.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-20.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-1.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.4-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.6.2-6.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.6.2-6.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8-2.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8-2.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-7.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-7.module_el8.8.0+3468+16b86c82"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "udica"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.6-3.module_el8.6.0+2886+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n* podman: symlink exchange attack in podman export volume (CVE-2023-0778)\n* podman: possible information disclosure and modification (CVE-2022-2989)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2023:2802",
"modified": "2023-05-19T22:13:16Z",
"published": "2023-05-16T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2023:2802"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-2989"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32189"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-0778"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107342"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107371"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107374"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107376"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107383"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107386"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107388"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107390"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107392"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2113814"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2121445"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2124669"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2161274"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2168256"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2023-2802.html"
}
],
"related": [
"CVE-2022-1705",
"CVE-2022-1962",
"CVE-2022-27664",
"CVE-2022-28131",
"CVE-2022-30630",
"CVE-2022-30631",
"CVE-2022-30632",
"CVE-2022-30633",
"CVE-2022-30635",
"CVE-2022-32148",
"CVE-2022-41717",
"CVE-2023-0778",
"CVE-2022-2989",
"CVE-2022-32189"
],
"summary": "Moderate: container-tools:4.0 security and bug fix update"
}
bit-golang-2022-1962
Vulnerability from bitnami_vulndb
Published
2024-03-06 11:02
Modified
2025-05-20 10:02
Summary
Stack exhaustion due to deeply nested types in go/parser
Details
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "golang",
"purl": "pkg:bitnami/golang"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.12"
},
{
"introduced": "1.18.0"
},
{
"fixed": "1.18.4"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-1962"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.",
"id": "BIT-golang-2022-1962",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-06T11:02:59.703Z",
"references": [
{
"type": "WEB",
"url": "https://go.dev/cl/417063"
},
{
"type": "WEB",
"url": "https://go.dev/issue/53616"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0515"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1962"
}
],
"schema_version": "1.5.0",
"summary": "Stack exhaustion due to deeply nested types in go/parser"
}
CERTFR-2022-AVI-1040
Vulnerability from certfr_avis - Published: 2022-11-21 - Updated: 2022-11-21
De multiples vulnérabilités ont été découvertes dans IBM Spectrum Protect. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes versions 10.1.5 \u00e0 10.1.12.1 ant\u00e9rieures \u00e0 10.1.12.2",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Plus Container Backup and Restore for OpenShift versions 10.1.7 \u00e0 10.1.12.1 ant\u00e9rieures \u00e0 10.1.12.2",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"name": "CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"name": "CVE-2022-32190",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32190"
},
{
"name": "CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"name": "CVE-2022-32149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32149"
},
{
"name": "CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"name": "CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"name": "CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
}
],
"initial_release_date": "2022-11-21T00:00:00",
"last_revision_date": "2022-11-21T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-1040",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-11-21T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Spectrum\nProtect. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nun d\u00e9ni de service \u00e0 distance, un contournement de la politique de\ns\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Spectrum Protect",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6838883 du 17 novembre 2022",
"url": "https://www.ibm.com/support/pages/node/6838883"
}
]
}
CERTFR-2023-AVI-0272
Vulnerability from certfr_avis - Published: 2023-03-30 - Updated: 2023-03-30
De multiples vulnérabilités ont été découvertes dans les produits IBM. Elles permettent à un attaquant de provoquer un déni de service à distance, une élévation de privilèges, un contournement de la politique de sécurité, une exécution de code arbitraire, une injection de code indirecte à distance (XSS), une atteinte à la confidentialité des données et un problème de sécurité non spécifié par l'éditeur.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | WebSphere | IBM WebSphere Automation versions antérieures à 1.5.2 | ||
| IBM | Spectrum | IBM Spectrum Protect Plus Container Agent (Red Hat OpenShift) versions antérieures à 10.1.12.4 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM 7.4.3 sans le correctif de sécurité FP9 | ||
| IBM | Spectrum | IBM Spectrum Protect Plus Container Agent (Kubernetes) versions antérieures à 10.1.12.4 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM 7.5.0 sans le correctif de sécurité UP4 IF01 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM WebSphere Automation versions ant\u00e9rieures \u00e0 1.5.2",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Plus Container Agent (Red Hat OpenShift) versions ant\u00e9rieures \u00e0 10.1.12.4",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM 7.4.3 sans le correctif de s\u00e9curit\u00e9 FP9",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Plus Container Agent (Kubernetes) versions ant\u00e9rieures \u00e0 10.1.12.4",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM 7.5.0 sans le correctif de s\u00e9curit\u00e9 UP4 IF01",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"name": "CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"name": "CVE-2022-23825",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23825"
},
{
"name": "CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"name": "CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"name": "CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"name": "CVE-2022-41722",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41722"
},
{
"name": "CVE-2022-29900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29900"
},
{
"name": "CVE-2022-29901",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29901"
},
{
"name": "CVE-2022-30629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30629"
},
{
"name": "CVE-2022-40897",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
},
{
"name": "CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"name": "CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"name": "CVE-2023-27589",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27589"
},
{
"name": "CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"name": "CVE-2022-41720",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41720"
},
{
"name": "CVE-2022-41716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41716"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2023-25136",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25136"
},
{
"name": "CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"name": "CVE-2022-26373",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26373"
},
{
"name": "CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"name": "CVE-2022-42898",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42898"
},
{
"name": "CVE-2022-41721",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41721"
},
{
"name": "CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"name": "CVE-2022-2588",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2588"
},
{
"name": "CVE-2022-30580",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30580"
},
{
"name": "CVE-2022-23816",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23816"
},
{
"name": "CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"name": "CVE-2022-41727",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41727"
},
{
"name": "CVE-2022-40898",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40898"
},
{
"name": "CVE-2022-23491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23491"
},
{
"name": "CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
}
],
"initial_release_date": "2023-03-30T00:00:00",
"last_revision_date": "2023-03-30T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0272",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-03-30T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits \u003cspan\nclass=\"textit\"\u003eIBM\u003c/span\u003e. Elles permettent \u00e0 un attaquant de provoquer\nun d\u00e9ni de service \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges, un\ncontournement de la politique de s\u00e9curit\u00e9, une ex\u00e9cution de code\narbitraire, une injection de code indirecte \u00e0 distance (XSS), une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967016 du 29 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6967016"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6966998 du 29 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6966998"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6965352 du 29 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6965352"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…