Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-41715 (GCVE-0-2022-41715)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-02-13 16:33
VLAI
EPSS
Title
Memory exhaustion when compiling regular expressions in regexp/syntax
Summary
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Severity
No CVSS data available.
CWE
- CWE 400: Uncontrolled Resource Consumption
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | regexp/syntax |
Affected:
0 , < 1.18.7
(semver)
Affected: 1.19.0-0 , < 1.19.2 (semver) |
Credits
Adam Korczynski (ADA Logics)
OSS-Fuzz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/55949"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/439356"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-1039"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "regexp/syntax",
"product": "regexp/syntax",
"programRoutines": [
{
"name": "parser.push"
},
{
"name": "parser.repeat"
},
{
"name": "parser.factor"
},
{
"name": "parse"
},
{
"name": "Parse"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.18.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.19.2",
"status": "affected",
"version": "1.19.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Adam Korczynski (ADA Logics)"
},
{
"lang": "en",
"value": "OSS-Fuzz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-25T11:09:55.534Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/55949"
},
{
"url": "https://go.dev/cl/439356"
},
{
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-1039"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Memory exhaustion when compiling regular expressions in regexp/syntax"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-41715",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-28T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:33:07.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-41715",
"date": "2026-05-29",
"epss": "0.00016",
"percentile": "0.04162"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-41715\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2022-10-14T15:16:20.780\",\"lastModified\":\"2024-11-21T07:23:43.367\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.\"},{\"lang\":\"es\",\"value\":\"Los programas que compilan expresiones regulares desde fuentes no confiables pueden ser vulnerables al agotamiento de la memoria o a la denegaci\u00f3n de servicio. La representaci\u00f3n de la regexp analizada es lineal en el tama\u00f1o de la entrada, pero en algunos casos el factor constante puede llegar a ser de 40.000, lo que hace que regexps relativamente peque\u00f1as consuman cantidades mucho mayores de memoria. Despu\u00e9s de la correcci\u00f3n, cada regexp que es analizado est\u00e1 limitada a un espacio de memoria de 256 MB. Las expresiones regulares cuya representaci\u00f3n use m\u00e1s espacio que eso son rechazadas. El uso normal de las expresiones regulares no est\u00e1 afectado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.18.7\",\"matchCriteriaId\":\"9CB667C1-EC12-4400-B4F0-6D3B7DDAAD99\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.19.0\",\"versionEndExcluding\":\"1.19.2\",\"matchCriteriaId\":\"7614AA04-CA34-4ED8-B580-005EA84BD5B4\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/439356\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/55949\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2022-1039\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202311-09\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/cl/439356\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/55949\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/xtuG5faxtaU\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2022-1039\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202311-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
RHSA-2023:1042
Vulnerability from csaf_redhat - Published: 2023-03-06 18:38 - Updated: 2026-05-29 20:32Summary
Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift (with security updates)
Severity
Moderate
Notes
Topic: Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional
operator, based on the Kubernetes Event Driven Autoscaler (KEDA), that allows workloads to be scaled using additional metrics sources other than pod metrics.
This release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions.
This version makes use of newer tools and libraries to address the following issues:
golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — |
Threats
Impact
Low
A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 | — | ||
| Unresolved product id: 8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 | — |
Threats
Impact
Low
References
102 references
Acknowledgments
ADA Logics
Adam Korczynski
OSS-Fuzz
Head of Research, Oxeye
Daniel Abeles
Security Researcher, Oxeye
Gal Goldstein
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional\noperator, based on the Kubernetes Event Driven Autoscaler (KEDA), that allows workloads to be scaled using additional metrics sources other than pod metrics.\nThis release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions.\n\nThis version makes use of newer tools and libraries to address the following issues:\ngolang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\ngolang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\ngolang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)\ngolang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\ngolang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\ngolang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\ngolang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)\ngolang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\ngolang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\ngolang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\ngolang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\ngolang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\ngolang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\ngolang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)\ngolang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1042",
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2077689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2077689"
},
{
"category": "external",
"summary": "2100763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2100763"
},
{
"category": "external",
"summary": "2107342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107342"
},
{
"category": "external",
"summary": "2107371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107371"
},
{
"category": "external",
"summary": "2107374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107374"
},
{
"category": "external",
"summary": "2107376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107376"
},
{
"category": "external",
"summary": "2107383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107383"
},
{
"category": "external",
"summary": "2107386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107386"
},
{
"category": "external",
"summary": "2107388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107388"
},
{
"category": "external",
"summary": "2107390",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107390"
},
{
"category": "external",
"summary": "2107392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107392"
},
{
"category": "external",
"summary": "2113945",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113945"
},
{
"category": "external",
"summary": "2118404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2118404"
},
{
"category": "external",
"summary": "2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2134010",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134010"
},
{
"category": "external",
"summary": "OCPNODE-1260",
"url": "https://issues.redhat.com/browse/OCPNODE-1260"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1042.json"
}
],
"title": "Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift (with security updates)",
"tracking": {
"current_release_date": "2026-05-29T20:32:04+00:00",
"generator": {
"date": "2026-05-29T20:32:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:1042",
"initial_release_date": "2023-03-06T18:38:53+00:00",
"revision_history": [
{
"date": "2023-03-06T18:38:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-06T18:38:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-29T20:32:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Custom Metrics Autoscaler 2",
"product": {
"name": "OpenShift Custom Metrics Autoscaler 2",
"product_id": "8Base-OCMA-2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.0::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Custom Metrics Autoscaler"
},
{
"branches": [
{
"category": "product_version",
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"product": {
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"product_id": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8\u0026tag=2.8.2-143"
}
}
},
{
"category": "product_version",
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64",
"product": {
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64",
"product_id": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64",
"product_identification_helper": {
"purl": "pkg:oci/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8\u0026tag=2.8.2-143"
}
}
},
{
"category": "product_version",
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"product": {
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"product_id": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"product_identification_helper": {
"purl": "pkg:oci/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle\u0026tag=2.8.2-143"
}
}
},
{
"category": "product_version",
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"product": {
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"product_id": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"product_identification_helper": {
"purl": "pkg:oci/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator\u0026tag=2.8.2-143"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
"product_id": "8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64"
},
"product_reference": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"relates_to_product_reference": "8Base-OCMA-2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
"product_id": "8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64"
},
"product_reference": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"relates_to_product_reference": "8Base-OCMA-2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
"product_id": "8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
},
"product_reference": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"relates_to_product_reference": "8Base-OCMA-2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
"product_id": "8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
},
"product_reference": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64",
"relates_to_product_reference": "8Base-OCMA-2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1705",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107374"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating \"chunked\" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: improper sanitization of Transfer-Encoding header",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"category": "external",
"summary": "RHBZ#2107374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705"
},
{
"category": "external",
"summary": "https://go.dev/issue/53188",
"url": "https://go.dev/issue/53188"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: improper sanitization of Transfer-Encoding header"
},
{
"cve": "CVE-2022-1962",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107376"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: go/parser: stack exhaustion in all Parse* functions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"category": "external",
"summary": "RHBZ#2107376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1962",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1962"
},
{
"category": "external",
"summary": "https://go.dev/issue/53616",
"url": "https://go.dev/issue/53616"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: go/parser: stack exhaustion in all Parse* functions"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-2879",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132867"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.\n\n\nThis flaw additionally affects the github.com/vbatts/tar-split library and was fixed in v0.12.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2879"
},
{
"category": "external",
"summary": "RHBZ#2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54853",
"url": "https://github.com/golang/go/issues/54853"
},
{
"category": "external",
"summary": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1",
"url": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers"
},
{
"acknowledgments": [
{
"names": [
"Daniel Abeles"
],
"organization": "Head of Research, Oxeye"
},
{
"names": [
"Gal Goldstein"
],
"organization": "Security Researcher, Oxeye"
}
],
"cve": "CVE-2022-2880",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132868"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"category": "external",
"summary": "RHBZ#2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54663",
"url": "https://github.com/golang/go/issues/54663"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters"
},
{
"cve": "CVE-2022-27664",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124669"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: handle server errors after sending GOAWAY",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "RHBZ#2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
},
{
"category": "external",
"summary": "https://go.dev/issue/54658",
"url": "https://go.dev/issue/54658"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: net/http: handle server errors after sending GOAWAY"
},
{
"cve": "CVE-2022-28131",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107390"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: encoding/xml: stack exhaustion in Decoder.Skip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability exists in the calling of the function decoder.skip to a deeply nested XML document. Although the vulnerability exists, it may require that the application accept deeply nested XML from untrusted sources and specifically calls Decoder.Skip on it. In many deployments, that code path might not even be reachable or exposed to external input. On top of that, a successful exploitation will only result in denial of service due to stack exhaustion, which is why this has been marked as moderate by Red Hat.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"category": "external",
"summary": "RHBZ#2107390",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107390"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-28131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28131"
},
{
"category": "external",
"summary": "https://go.dev/issue/53614",
"url": "https://go.dev/issue/53614"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: encoding/xml: stack exhaustion in Decoder.Skip"
},
{
"cve": "CVE-2022-28327",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2022-04-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2077689"
}
],
"notes": [
{
"category": "description",
"text": "An integer overflow flaw was found in Golang\u0027s crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/elliptic: panic caused by oversized scalar",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A moderate severity flaw was found in Go\u2019s crypto/elliptic package in the generic P-256 implementation. If a scalar input longer than 32 bytes is supplied, P256().ScalarMult or P256().ScalarBaseMult can panic, causing the application to crash. Indirect uses via crypto/ecdsa and crypto/tls are not affected. This issue impacts availability but does not affect confidentiality or integrity. Only certain platforms (non-amd64, non-arm64, non-ppc64le, non-s390x) may be affected.\n\nRed Hat Enterprise Linux 7, 8 and 9 are affected, because the code-base is affected by this vulnerability.\n\nRed Hat Product Security has rated this issue as having Moderate security impact, and the issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7, hence, marked as Out-of-Support-Scope. \n\nRed Hat Developer Tools - Compilers (go-toolset-1.16-golang \u0026 go-toolset-1.17-golang), ships the vulnerable code and affected by this vulnerability.\n\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle \u0026 Updates Policy: https://access.redhat.com/support/policy/updates/errata/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-28327"
},
{
"category": "external",
"summary": "RHBZ#2077689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2077689"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-28327",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28327"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-28327",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28327"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8",
"url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8"
}
],
"release_date": "2022-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/elliptic: panic caused by oversized scalar"
},
{
"cve": "CVE-2022-30630",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107371"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: io/fs: stack exhaustion in Glob",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "RH ProdSec has set the Impact of this vulnerability to Moderate as there is no known method to execute arbitary code. Successful exploitation of this bug can cause the application under attack to panic, merely causing a Denial of Service at the application level. As the kernel is unaffected by this bug, the user can merely relaunch the application to fix the problem. Also, if somehow the application keeps relaunching, the timer watchdogs in the default RHEL kernel will stop the attack in its tracks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"category": "external",
"summary": "RHBZ#2107371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107371"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630"
},
{
"category": "external",
"summary": "https://go.dev/issue/53415",
"url": "https://go.dev/issue/53415"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: io/fs: stack exhaustion in Glob"
},
{
"cve": "CVE-2022-30631",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: compress/gzip: stack exhaustion in Reader.Read",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit CVE-2022-30631, an attacker supplies a specially crafted gzip archive to a Go application that uses a vulnerable version of the compress/gzip package without adequate input validation. This can lead to uncontrolled recursion, resulting in stack exhaustion and causing the application to panic, thereby affecting its availability.\n\nAs this is merely a DoS and there is no known way to control the instruction pointer, RH ProdSec has set the impact of this vulnerabilty to \"Moderate\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"category": "external",
"summary": "RHBZ#2107342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30631",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30631"
},
{
"category": "external",
"summary": "https://go.dev/issue/53168",
"url": "https://go.dev/issue/53168"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: compress/gzip: stack exhaustion in Reader.Read"
},
{
"cve": "CVE-2022-30632",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107386"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: path/filepath: stack exhaustion in Glob",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The exploitation of this flaw will only result in a denial of service of the application via the application crashing which is why this has been rated as moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"category": "external",
"summary": "RHBZ#2107386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30632",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30632"
},
{
"category": "external",
"summary": "https://go.dev/issue/53416",
"url": "https://go.dev/issue/53416"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: path/filepath: stack exhaustion in Glob"
},
{
"cve": "CVE-2022-30633",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the \"any\" field tag, can cause a panic due to stack exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: encoding/xml: stack exhaustion in Unmarshal",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has marked this as moderate impact for two primary reasons\n1. Though the vulnerability exists, it is hard to exploit in real scenarios (e.g., the attacker must be able to feed crafted XML documents into specific code paths).\n2. The vulnerability is a denial of service (DoS) due to stack exhaustion rather than code execution or data breach. Since it doesn\u2019t compromise confidentiality or integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"category": "external",
"summary": "RHBZ#2107392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30633",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30633"
},
{
"category": "external",
"summary": "https://go.dev/issue/53611",
"url": "https://go.dev/issue/53611"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: encoding/xml: stack exhaustion in Unmarshal"
},
{
"cve": "CVE-2022-30635",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107388"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: encoding/gob: stack exhaustion in Decoder.Decode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) starting from 4.10 stream is already compiled in the patched version of Go, hence is not affected by this vulnerability.The vulnerability has been rated as moderate instead of high because the vulnerability can only result in a minor denial of service.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"category": "external",
"summary": "RHBZ#2107388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30635",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30635"
},
{
"category": "external",
"summary": "https://go.dev/issue/53615",
"url": "https://go.dev/issue/53615"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: encoding/gob: stack exhaustion in Decoder.Decode"
},
{
"cve": "CVE-2022-32148",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107383"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"category": "external",
"summary": "RHBZ#2107383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148"
},
{
"category": "external",
"summary": "https://go.dev/issue/53423",
"url": "https://go.dev/issue/53423"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working"
},
{
"cve": "CVE-2022-32149",
"cwe": {
"id": "CWE-407",
"name": "Inefficient Algorithmic Complexity"
},
"discovery_date": "2022-10-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134010"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "After careful analysis of the vulnerability Redhat is choosing to keep the vulnerability severity as moderate,the vulnerability exists in the ParseAcceptLanguage function of the golang text/language package,when an attacker could craft an unusually large accept header and due to the parser taking quadratic time complexity to finish, firstly the attacker would have to find a way smuggle an input to the parser and even then this would simply not result in a crash of any kind but more of resource hang which while can be unpleasant,does not equate to any real world damage.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-32149"
},
{
"category": "external",
"summary": "RHBZ#2134010",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134010"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-32149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149"
},
{
"category": "external",
"summary": "https://go.dev/issue/56152",
"url": "https://go.dev/issue/56152"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/qfPIly0X7aU",
"url": "https://groups.google.com/g/golang-dev/c/qfPIly0X7aU"
}
],
"release_date": "2022-10-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"known_not_affected": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T18:38:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1042"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8@sha256:c79cb3c68317a224277a8ee0dc78832fcd4b6da18b9b5b074cffaad14e2f1aa5_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-operator-bundle@sha256:44de4b736089166718956bebd456ad1a17e0e6f72c49f52804c6b6e60ef5a494_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator@sha256:5a149d0a0cdb6812acbef0c9b3031fb3cd84181e971198a6e17d8fd0bf5e6293_amd64",
"8Base-OCMA-2:custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8@sha256:a403d057cd2ca820306207282007d4d117623e1a2ebb8bee67c19f5796f07f95_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
}
]
}
RHSA-2023:1079
Vulnerability from csaf_redhat - Published: 2023-03-06 16:23 - Updated: 2026-05-28 20:28Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update
Severity
Moderate
Notes
Topic: An update for osp-director-downloader-container,
osp-director-agent-container and osp-director-operator-container is now
available for Red Hat OpenStack Platform 16.2 (Train).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Security Fix(es):
* archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)
* regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* net/http: An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
28 references
Acknowledgments
ADA Logics
Adam Korczynski
OSS-Fuzz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for osp-director-downloader-container,\nosp-director-agent-container and osp-director-operator-container is now\navailable for Red Hat OpenStack Platform 16.2 (Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Security Fix(es):\n\n* archive/tar: unbounded memory consumption when reading headers\n(CVE-2022-2879)\n\n* regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\n* net/http: An attacker can cause excessive memory growth in a Go server\naccepting HTTP/2 requests (CVE-2022-41717)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1079",
"url": "https://access.redhat.com/errata/RHSA-2023:1079"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "OSPK8-664",
"url": "https://issues.redhat.com/browse/OSPK8-664"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1079.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update",
"tracking": {
"current_release_date": "2026-05-28T20:28:24+00:00",
"generator": {
"date": "2026-05-28T20:28:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:1079",
"initial_release_date": "2023-03-06T16:23:58+00:00",
"revision_history": [
{
"date": "2023-03-06T16:23:58+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-06T16:23:58+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:28:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 16.2",
"product": {
"name": "Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:16.2::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"product": {
"name": "rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"product_id": "rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8/osp-director-agent\u0026tag=1.3.0-6"
}
}
},
{
"category": "product_version",
"name": "rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"product": {
"name": "rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"product_id": "rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8/osp-director-downloader\u0026tag=1.3.0-6"
}
}
},
{
"category": "product_version",
"name": "rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"product": {
"name": "rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"product_id": "rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"product_identification_helper": {
"purl": "pkg:oci/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8/osp-director-operator-bundle\u0026tag=1.3.0-10"
}
}
},
{
"category": "product_version",
"name": "rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64",
"product": {
"name": "rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64",
"product_id": "rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64",
"product_identification_helper": {
"purl": "pkg:oci/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8/osp-director-operator\u0026tag=1.3.0-5"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64"
},
"product_reference": "rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64"
},
"product_reference": "rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64"
},
"product_reference": "rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
},
"product_reference": "rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64",
"relates_to_product_reference": "8Base-RHOS-16.2"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-2879",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132867"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.\n\n\nThis flaw additionally affects the github.com/vbatts/tar-split library and was fixed in v0.12.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2879"
},
{
"category": "external",
"summary": "RHBZ#2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54853",
"url": "https://github.com/golang/go/issues/54853"
},
{
"category": "external",
"summary": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1",
"url": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T16:23:58+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1079"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T16:23:58+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1079"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T16:23:58+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1079"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64",
"8Base-RHOS-16.2:rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
}
]
}
RHSA-2023:1174
Vulnerability from csaf_redhat - Published: 2023-03-09 01:24 - Updated: 2026-05-28 20:28Summary
Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.2 security and bug fix update
Severity
Moderate
Notes
Topic: OpenShift API for Data Protection (OADP) 1.1.2 is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
Security Fix(es) from Bugzilla:
* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x | — |
Vendor Fix
fix
|
Known not affected
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x | — |
Vendor Fix
fix
|
Known not affected
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x | — |
Vendor Fix
fix
|
Known not affected
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64 | — | ||
| Unresolved product id: 8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x | — |
Threats
Impact
Moderate
References
39 references
Acknowledgments
ADA Logics
Adam Korczynski
OSS-Fuzz
Head of Research, Oxeye
Daniel Abeles
Security Researcher, Oxeye
Gal Goldstein
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "OpenShift API for Data Protection (OADP) 1.1.2 is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.\n\nSecurity Fix(es) from Bugzilla:\n\n* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1174",
"url": "https://access.redhat.com/errata/RHSA-2023:1174"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "OADP-1056",
"url": "https://issues.redhat.com/browse/OADP-1056"
},
{
"category": "external",
"summary": "OADP-1150",
"url": "https://issues.redhat.com/browse/OADP-1150"
},
{
"category": "external",
"summary": "OADP-1217",
"url": "https://issues.redhat.com/browse/OADP-1217"
},
{
"category": "external",
"summary": "OADP-1256",
"url": "https://issues.redhat.com/browse/OADP-1256"
},
{
"category": "external",
"summary": "OADP-1289",
"url": "https://issues.redhat.com/browse/OADP-1289"
},
{
"category": "external",
"summary": "OADP-290",
"url": "https://issues.redhat.com/browse/OADP-290"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1174.json"
}
],
"title": "Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.2 security and bug fix update",
"tracking": {
"current_release_date": "2026-05-28T20:28:25+00:00",
"generator": {
"date": "2026-05-28T20:28:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:1174",
"initial_release_date": "2023-03-09T01:24:50+00:00",
"revision_history": [
{
"date": "2023-03-09T01:24:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-09T01:24:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:28:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "8Base-OADP-1.1",
"product": {
"name": "8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_api_data_protection:1.1::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift API for Data Protection"
},
{
"branches": [
{
"category": "product_version",
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"product": {
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"product_id": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel8\u0026tag=1.1.2-18"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"product": {
"name": "oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"product_id": "oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-mustgather-rhel8\u0026tag=1.1.2-26"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"product": {
"name": "oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"product_id": "oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-operator-bundle\u0026tag=1.1.2-31"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"product": {
"name": "oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"product_id": "oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-rhel8-operator\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"product": {
"name": "oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"product_id": "oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-rhel8\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"product": {
"name": "oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"product_id": "oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"product": {
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"product_id": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"product": {
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"product_id": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-csi-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"product": {
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"product_id": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"product": {
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"product_id": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"product": {
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"product_id": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-restic-restore-helper-rhel8\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"product": {
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"product_id": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-volume-snapshot-mover-rhel8\u0026tag=1.1.2-13"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"product": {
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"product_id": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel8\u0026tag=1.1.2-18"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"product": {
"name": "oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"product_id": "oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-mustgather-rhel8\u0026tag=1.1.2-26"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"product": {
"name": "oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"product_id": "oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-operator-bundle\u0026tag=1.1.2-31"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"product": {
"name": "oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"product_id": "oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-rhel8-operator\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"product": {
"name": "oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"product_id": "oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-rhel8\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"product": {
"name": "oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"product_id": "oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"product": {
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"product_id": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"product": {
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"product_id": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-csi-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"product": {
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"product_id": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"product": {
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"product_id": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"product": {
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"product_id": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-restic-restore-helper-rhel8\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"product": {
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"product_id": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-volume-snapshot-mover-rhel8\u0026tag=1.1.2-13"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"product": {
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"product_id": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel8\u0026tag=1.1.2-18"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"product": {
"name": "oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"product_id": "oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-mustgather-rhel8\u0026tag=1.1.2-26"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"product": {
"name": "oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"product_id": "oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-operator-bundle\u0026tag=1.1.2-31"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"product": {
"name": "oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"product_id": "oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-rhel8-operator\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"product": {
"name": "oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"product_id": "oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-rhel8\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"product": {
"name": "oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"product_id": "oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"product": {
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"product_id": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"product": {
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"product_id": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-csi-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"product": {
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"product_id": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"product": {
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"product_id": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel8\u0026tag=1.1.2-13"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"product": {
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"product_id": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-restic-restore-helper-rhel8\u0026tag=1.1.2-16"
}
}
},
{
"category": "product_version",
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64",
"product": {
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64",
"product_id": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-volume-snapshot-mover-rhel8\u0026tag=1.1.2-13"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x"
},
"product_reference": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64"
},
"product_reference": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le"
},
"product_reference": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x"
},
"product_reference": "oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64"
},
"product_reference": "oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le"
},
"product_reference": "oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le"
},
"product_reference": "oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64"
},
"product_reference": "oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x"
},
"product_reference": "oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64"
},
"product_reference": "oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x"
},
"product_reference": "oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le"
},
"product_reference": "oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x"
},
"product_reference": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le"
},
"product_reference": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64"
},
"product_reference": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x"
},
"product_reference": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le"
},
"product_reference": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64"
},
"product_reference": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64"
},
"product_reference": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le"
},
"product_reference": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x"
},
"product_reference": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le"
},
"product_reference": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64"
},
"product_reference": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x"
},
"product_reference": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x"
},
"product_reference": "oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64"
},
"product_reference": "oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le"
},
"product_reference": "oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le"
},
"product_reference": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x"
},
"product_reference": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64"
},
"product_reference": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64"
},
"product_reference": "oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le"
},
"product_reference": "oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x"
},
"product_reference": "oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x"
},
"product_reference": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le"
},
"product_reference": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"relates_to_product_reference": "8Base-OADP-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64 as a component of 8Base-OADP-1.1",
"product_id": "8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
},
"product_reference": "oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64",
"relates_to_product_reference": "8Base-OADP-1.1"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-2879",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132867"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.\n\n\nThis flaw additionally affects the github.com/vbatts/tar-split library and was fixed in v0.12.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x"
],
"known_not_affected": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2879"
},
{
"category": "external",
"summary": "RHBZ#2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54853",
"url": "https://github.com/golang/go/issues/54853"
},
{
"category": "external",
"summary": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1",
"url": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-09T01:24:50+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1174"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers"
},
{
"acknowledgments": [
{
"names": [
"Daniel Abeles"
],
"organization": "Head of Research, Oxeye"
},
{
"names": [
"Gal Goldstein"
],
"organization": "Security Researcher, Oxeye"
}
],
"cve": "CVE-2022-2880",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132868"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x"
],
"known_not_affected": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"category": "external",
"summary": "RHBZ#2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54663",
"url": "https://github.com/golang/go/issues/54663"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-09T01:24:50+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1174"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x"
],
"known_not_affected": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-09T01:24:50+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1174"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
],
"known_not_affected": [
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-09T01:24:50+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1174"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:2592551270d7dbb3aeff227eeb06c20ca14641e6f8f7f59f7ec2d5b38d740008_s390x",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:3548d98637c8573c036e28121f61c3429d5061cb32a193eb71394b2103089c6d_amd64",
"8Base-OADP-1.1:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ebdf2c40a0ca3871e085f5b1ee8653d9074d6417b00cc740a3290ee3af3169ee_ppc64le",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:1d7f1f396fe68805c144d1a538ba464f5a1efaa8cb09c9069cdbf69a6bb77c6f_s390x",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:3c296126466e6d5795ea325c06d8e9f477f58aa5f5f83d9cfaec7df7b9429c5f_amd64",
"8Base-OADP-1.1:oadp/oadp-mustgather-rhel8@sha256:ee2a7436fe117ae745c721cabd51c2779a0c1d6b2f67c2b3b7ee182c17a74061_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:9176a624a42b1d54f55a71a599f0ca80be7fd81894783e36fcc268227d694f24_ppc64le",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:a09561642d2e4016ed90e7850f2891a4c9cf89c7f3693392763d1ccf57096c27_amd64",
"8Base-OADP-1.1:oadp/oadp-operator-bundle@sha256:fb9c4f7ff88c95bc8125610339ccd25f04033c3d4194ef3435cf67a7123e9002_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:71f603874bc47c4a2ceb968687de865ef0f28b08d077e83026bb401bd9ae8748_amd64",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:7fa56d2a84a3be27d149e624be0385590e6b2193974373b2c829b322e28e270b_s390x",
"8Base-OADP-1.1:oadp/oadp-rhel8-operator@sha256:dcddfcc46a0c0a904fc0b444bbc4dbd8f04bf577d5a7be49524cb0b52b2a0abe_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:0df302701b9ce8ff480ab417eb8752c2782469f6bc0131570ca3c063f7d6a96d_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3503e8a706e573d498bd1ee21561a1612e33b4e3ca6d4ad9d97338681dc3cdf7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60b69812981b289b5e7e3052ceb2d5a7c0c14a9353aed10ad8f3da89f0674079_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:5d76a818dd642216f0a20b5324aa2125306e1cdfafc06a968da66537a589e0c2_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:6647c6226f0d688aa0509bf3975c9c5cf7fb36ca19fa79e33e37ff97598ed7f5_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:fbde2697cb2e57aa7d6655534c3677c5fc86b19710a7b870f1c6b9003033b4e8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:000c106d6f3df71a7bfe7f4dab2705eae66075f47ae9a79cdbe9b7c092a7f969_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:99e71ef7d2317bae5967978efaf0557a2f4cb346504646bb2c42f9b1f890a1e2_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:a8fdc9851bac1b31f446e149d24511bd31f1a4b0a5836493cad923a58ad19399_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:b2034cbd6c4b42f832cb02c49d224ea8c51097db4eae35955f66543fae1867a8_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:bd3898823b9634235e5b17793b42fb67ecb28758c3ed63eca2e51be3fe415c14_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:ca4895fc7d135749e88c33ed819fc41e08d216ca4b53abf488a68b4659b035ee_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:34af5f104eb6bf621eb85eb91adea036f738eba6a343dbb1b8e10f529461f152_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:b6c30ed53411f9e427e28e5768d330e3325ecd0e9f8cc999c8c5e94c2f639faa_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-plugin-rhel8@sha256:ee21d5439e5cda864e4c6bb3f24d30fb1a63a562ec16dcae9d0205fcc39d9970_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:021392da75c14255a6381a1ace934f7a546de5dccd38ab8a8bdc43a45b4fd7eb_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:0a6abd7813f4588a00dbf6a2d34c000b74329e7018fb794a89db369511782c3c_s390x",
"8Base-OADP-1.1:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:130d858d1ee18d0e1cad5368298c8916b7708f6755cfd80e3d1975c0e91ddca8_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:9dfd605af04df668214f21f19da41dfd669fc905a3888ddb178f285cef5b03e3_amd64",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d440e26f11f81d795c5b41b4110aea350b6475d42bc0f6dcc442f5808aaca9d7_ppc64le",
"8Base-OADP-1.1:oadp/oadp-velero-rhel8@sha256:d472102becfa09546580fd54704e2b1556398c5d0a0362a99fc108debff6954d_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:225b98dba7f2f210b4684f256b5abf2058e7d45db64f0bc7f46891832fc11315_s390x",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:97068c64c6eb54a26f665eeac2ff0b4e23ec97b6421044cbaa31093e9b797b62_ppc64le",
"8Base-OADP-1.1:oadp/oadp-volume-snapshot-mover-rhel8@sha256:be374c3070caf23563762952b8b181721f3869761fc837ee9b5d67d317031169_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
}
]
}
RHSA-2023:1275
Vulnerability from csaf_redhat - Published: 2023-03-15 19:58 - Updated: 2026-05-28 20:28Summary
Red Hat Security Advisory: Red Hat OpenStack Platform (etcd) security update
Severity
Important
Notes
Topic: An update for etcd is now available for Red Hat OpenStack Platform.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details: etcd is a highly-available key value store for shared configuration.
The following Important impact security fix(es) are applicable to Red Hat OpenStack Platform 17.0 (Wallaby), 16.2 (Train), and 16.1 (Train):
* Improve heuristics preventing CPU/memory abuse by parsing malicious or
large YAML documents (CVE-2022-3064)
As a result of being built by golang 1.18.9, the following Moderate impact security fix(es) are applicable to Red Hat OpenStack Platform 16.2 and 16.1:
* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
As a result of being built by golang 1.18.9, the following Low impact security fix(es) are applicable to Red Hat OpenStack Platform 16.2 and 16.1:
* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.
CWE-331 - Insufficient EntropyAffected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
86 references
Acknowledgments
Head of Research, Oxeye
Daniel Abeles
Security Researcher, Oxeye
Gal Goldstein
ADA Logics
Adam Korczynski
OSS-Fuzz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for etcd is now available for Red Hat OpenStack Platform.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "etcd is a highly-available key value store for shared configuration.\n\nThe following Important impact security fix(es) are applicable to Red Hat OpenStack Platform 17.0 (Wallaby), 16.2 (Train), and 16.1 (Train):\n\n* Improve heuristics preventing CPU/memory abuse by parsing malicious or\nlarge YAML documents (CVE-2022-3064)\n\nAs a result of being built by golang 1.18.9, the following Moderate impact security fix(es) are applicable to Red Hat OpenStack Platform 16.2 and 16.1:\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\nAs a result of being built by golang 1.18.9, the following Low impact security fix(es) are applicable to Red Hat OpenStack Platform 16.2 and 16.1:\n\n* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1275",
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2092793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092793"
},
{
"category": "external",
"summary": "2107371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107371"
},
{
"category": "external",
"summary": "2107374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107374"
},
{
"category": "external",
"summary": "2107383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107383"
},
{
"category": "external",
"summary": "2107386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107386"
},
{
"category": "external",
"summary": "2107388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107388"
},
{
"category": "external",
"summary": "2113814",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113814"
},
{
"category": "external",
"summary": "2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2163037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1275.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Platform (etcd) security update",
"tracking": {
"current_release_date": "2026-05-28T20:28:26+00:00",
"generator": {
"date": "2026-05-28T20:28:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:1275",
"initial_release_date": "2023-03-15T19:58:09+00:00",
"revision_history": [
{
"date": "2023-03-15T19:58:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-15T19:58:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:28:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 16.1",
"product": {
"name": "Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:16.1::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 16.2",
"product": {
"name": "Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:16.2::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-12.el8ost.src",
"product": {
"name": "etcd-0:3.3.23-12.el8ost.src",
"product_id": "etcd-0:3.3.23-12.el8ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-12.el8ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-12.el8ost.x86_64",
"product": {
"name": "etcd-0:3.3.23-12.el8ost.x86_64",
"product_id": "etcd-0:3.3.23-12.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-12.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"product": {
"name": "etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"product_id": "etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-12.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"product": {
"name": "etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"product_id": "etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-12.el8ost?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-12.el8ost.ppc64le",
"product": {
"name": "etcd-0:3.3.23-12.el8ost.ppc64le",
"product_id": "etcd-0:3.3.23-12.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-12.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"product": {
"name": "etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"product_id": "etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-12.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"product": {
"name": "etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"product_id": "etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-12.el8ost?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-12.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le"
},
"product_reference": "etcd-0:3.3.23-12.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-12.el8ost.src as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src"
},
"product_reference": "etcd-0:3.3.23-12.el8ost.src",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-12.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64"
},
"product_reference": "etcd-0:3.3.23-12.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le"
},
"product_reference": "etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64"
},
"product_reference": "etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-12.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le"
},
"product_reference": "etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-12.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
},
"product_reference": "etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-12.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le"
},
"product_reference": "etcd-0:3.3.23-12.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-12.el8ost.src as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src"
},
"product_reference": "etcd-0:3.3.23-12.el8ost.src",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-12.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64"
},
"product_reference": "etcd-0:3.3.23-12.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le"
},
"product_reference": "etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-12.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64"
},
"product_reference": "etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-12.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le"
},
"product_reference": "etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-12.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
},
"product_reference": "etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1705",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107374"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating \"chunked\" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: improper sanitization of Transfer-Encoding header",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"category": "external",
"summary": "RHBZ#2107374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705"
},
{
"category": "external",
"summary": "https://go.dev/issue/53188",
"url": "https://go.dev/issue/53188"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: improper sanitization of Transfer-Encoding header"
},
{
"acknowledgments": [
{
"names": [
"Daniel Abeles"
],
"organization": "Head of Research, Oxeye"
},
{
"names": [
"Gal Goldstein"
],
"organization": "Security Researcher, Oxeye"
}
],
"cve": "CVE-2022-2880",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132868"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"category": "external",
"summary": "RHBZ#2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54663",
"url": "https://github.com/golang/go/issues/54663"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters"
},
{
"cve": "CVE-2022-3064",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-01-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2163037"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "RHC package for Red Hat Enterprise Linux 9 mark as Low severity as we do ship the affected code but it\u0027s not easily exposed because YAML files are not parsed by RHC.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3064"
},
{
"category": "external",
"summary": "RHBZ#2163037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3064",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3064"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r",
"url": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r"
},
{
"category": "external",
"summary": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5",
"url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5"
},
{
"category": "external",
"summary": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4",
"url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-0956",
"url": "https://pkg.go.dev/vuln/GO-2022-0956"
}
],
"release_date": "2022-08-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents"
},
{
"cve": "CVE-2022-27664",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124669"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: handle server errors after sending GOAWAY",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "RHBZ#2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
},
{
"category": "external",
"summary": "https://go.dev/issue/54658",
"url": "https://go.dev/issue/54658"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: handle server errors after sending GOAWAY"
},
{
"cve": "CVE-2022-30629",
"cwe": {
"id": "CWE-331",
"name": "Insufficient Entropy"
},
"discovery_date": "2022-06-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2092793"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: session tickets lack random ticket_age_add",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30629"
},
{
"category": "external",
"summary": "RHBZ#2092793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092793"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30629"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30629",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30629"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg",
"url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg"
}
],
"release_date": "2022-06-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: crypto/tls: session tickets lack random ticket_age_add"
},
{
"cve": "CVE-2022-30630",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107371"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: io/fs: stack exhaustion in Glob",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "RH ProdSec has set the Impact of this vulnerability to Moderate as there is no known method to execute arbitary code. Successful exploitation of this bug can cause the application under attack to panic, merely causing a Denial of Service at the application level. As the kernel is unaffected by this bug, the user can merely relaunch the application to fix the problem. Also, if somehow the application keeps relaunching, the timer watchdogs in the default RHEL kernel will stop the attack in its tracks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"category": "external",
"summary": "RHBZ#2107371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107371"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630"
},
{
"category": "external",
"summary": "https://go.dev/issue/53415",
"url": "https://go.dev/issue/53415"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: io/fs: stack exhaustion in Glob"
},
{
"cve": "CVE-2022-30632",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107386"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: path/filepath: stack exhaustion in Glob",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The exploitation of this flaw will only result in a denial of service of the application via the application crashing which is why this has been rated as moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"category": "external",
"summary": "RHBZ#2107386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30632",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30632"
},
{
"category": "external",
"summary": "https://go.dev/issue/53416",
"url": "https://go.dev/issue/53416"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: path/filepath: stack exhaustion in Glob"
},
{
"cve": "CVE-2022-30635",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107388"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: encoding/gob: stack exhaustion in Decoder.Decode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) starting from 4.10 stream is already compiled in the patched version of Go, hence is not affected by this vulnerability.The vulnerability has been rated as moderate instead of high because the vulnerability can only result in a minor denial of service.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"category": "external",
"summary": "RHBZ#2107388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30635",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30635"
},
{
"category": "external",
"summary": "https://go.dev/issue/53615",
"url": "https://go.dev/issue/53615"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: encoding/gob: stack exhaustion in Decoder.Decode"
},
{
"cve": "CVE-2022-32148",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107383"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"category": "external",
"summary": "RHBZ#2107383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148"
},
{
"category": "external",
"summary": "https://go.dev/issue/53423",
"url": "https://go.dev/issue/53423"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working"
},
{
"cve": "CVE-2022-32189",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2113814"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw stems from a particular and specific method (GoBDecode) which isn\u0027t commonly used. There are few components within Red Hat offerings which call this function. In rare cases where this method is called, the component limits possible damage or it is not possible to be triggered by an attacker. For these combined reasons the impact has been downgraded to Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-32189"
},
{
"category": "external",
"summary": "RHBZ#2113814",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113814"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189"
},
{
"category": "external",
"summary": "https://go.dev/issue/53871",
"url": "https://go.dev/issue/53871"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU",
"url": "https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU"
}
],
"release_date": "2022-08-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-15T19:58:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1275"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-12.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-12.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
}
]
}
RHSA-2023:1529
Vulnerability from csaf_redhat - Published: 2023-03-30 00:42 - Updated: 2026-05-29 20:32Summary
Red Hat Security Advisory: Service Telemetry Framework 1.5 security update
Severity
Moderate
Notes
Topic: An update is now available for Service Telemetry Framework 1.5.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform (OCP) deployment for storage, retrieval, and monitoring.
Security Fix(es):
* golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806)
* golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772)
* golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the big package of the math library in golang. The Rat.SetString could cause an overflow, and if left unhandled, it could lead to excessive memory use. This issue could allow a remote attacker to impact the availability of the system.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the go package of the cmd library in golang. The go command could be tricked into accepting a branch, which resembles a version tag. This issue could allow a remote unauthenticated attacker to bypass security restrictions and introduce invalid or incorrect tags, reducing the integrity of the environment.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource.
7.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB), causing a stack overflow in Decode, which leads to a loss of availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file's group, affecting system availability.
6.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.
CWE-331 - Insufficient EntropyAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Low
A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Workaround
|
Threats
Impact
Low
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 | — | ||
| Unresolved product id: 8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 | — |
Threats
Impact
Moderate
References
100 references
Acknowledgments
Joël Gähwiler
ADA Logics
Adam Korczynski
OSS-Fuzz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Service Telemetry Framework 1.5.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform (OCP) deployment for storage, retrieval, and monitoring.\n\nSecurity Fix(es):\n\n* golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806)\n\n* golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772)\n\n* golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773)\n\n* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)\n\n* golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)\n\n* golang: syscall: faccessat checks wrong group (CVE-2022-29526)\n\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)\n\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1529",
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2053429",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053429"
},
{
"category": "external",
"summary": "2053532",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053532"
},
{
"category": "external",
"summary": "2053541",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053541"
},
{
"category": "external",
"summary": "2077688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2077688"
},
{
"category": "external",
"summary": "2077689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2077689"
},
{
"category": "external",
"summary": "2084085",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084085"
},
{
"category": "external",
"summary": "2092544",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092544"
},
{
"category": "external",
"summary": "2092793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092793"
},
{
"category": "external",
"summary": "2107342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107342"
},
{
"category": "external",
"summary": "2107371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107371"
},
{
"category": "external",
"summary": "2107374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107374"
},
{
"category": "external",
"summary": "2107386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107386"
},
{
"category": "external",
"summary": "2113814",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113814"
},
{
"category": "external",
"summary": "2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2176537",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176537"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1529.json"
}
],
"title": "Red Hat Security Advisory: Service Telemetry Framework 1.5 security update",
"tracking": {
"current_release_date": "2026-05-29T20:32:05+00:00",
"generator": {
"date": "2026-05-29T20:32:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:1529",
"initial_release_date": "2023-03-30T00:42:39+00:00",
"revision_history": [
{
"date": "2023-03-30T00:42:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-30T00:42:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-29T20:32:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Service Telemetry Framework 1.5 for RHEL 8",
"product": {
"name": "Service Telemetry Framework 1.5 for RHEL 8",
"product_id": "8Base-STF-1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:stf:1.5::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"product": {
"name": "stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"product_id": "stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f?arch=amd64\u0026repository_url=registry.redhat.io/stf/prometheus-webhook-snmp-rhel8\u0026tag=1.5.2-2"
}
}
},
{
"category": "product_version",
"name": "stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"product": {
"name": "stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"product_id": "stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"product_identification_helper": {
"purl": "pkg:oci/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717?arch=amd64\u0026repository_url=registry.redhat.io/stf/service-telemetry-operator-bundle\u0026tag=1.5.1678301890-1"
}
}
},
{
"category": "product_version",
"name": "stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"product": {
"name": "stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"product_id": "stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0?arch=amd64\u0026repository_url=registry.redhat.io/stf/service-telemetry-rhel8-operator\u0026tag=1.5.1-2"
}
}
},
{
"category": "product_version",
"name": "stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"product": {
"name": "stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"product_id": "stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"product_identification_helper": {
"purl": "pkg:oci/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28?arch=amd64\u0026repository_url=registry.redhat.io/stf/sg-bridge-rhel8\u0026tag=1.5.0-12"
}
}
},
{
"category": "product_version",
"name": "stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"product": {
"name": "stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"product_id": "stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"product_identification_helper": {
"purl": "pkg:oci/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37?arch=amd64\u0026repository_url=registry.redhat.io/stf/sg-core-rhel8\u0026tag=5.1.1-2"
}
}
},
{
"category": "product_version",
"name": "stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"product": {
"name": "stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"product_id": "stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"product_identification_helper": {
"purl": "pkg:oci/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546?arch=amd64\u0026repository_url=registry.redhat.io/stf/smart-gateway-operator-bundle\u0026tag=5.0.1678301890-1"
}
}
},
{
"category": "product_version",
"name": "stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64",
"product": {
"name": "stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64",
"product_id": "stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64",
"product_identification_helper": {
"purl": "pkg:oci/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471?arch=amd64\u0026repository_url=registry.redhat.io/stf/smart-gateway-rhel8-operator\u0026tag=5.0.1-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64 as a component of Service Telemetry Framework 1.5 for RHEL 8",
"product_id": "8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64"
},
"product_reference": "stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"relates_to_product_reference": "8Base-STF-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64 as a component of Service Telemetry Framework 1.5 for RHEL 8",
"product_id": "8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64"
},
"product_reference": "stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"relates_to_product_reference": "8Base-STF-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64 as a component of Service Telemetry Framework 1.5 for RHEL 8",
"product_id": "8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64"
},
"product_reference": "stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"relates_to_product_reference": "8Base-STF-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64 as a component of Service Telemetry Framework 1.5 for RHEL 8",
"product_id": "8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64"
},
"product_reference": "stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"relates_to_product_reference": "8Base-STF-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64 as a component of Service Telemetry Framework 1.5 for RHEL 8",
"product_id": "8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
},
"product_reference": "stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"relates_to_product_reference": "8Base-STF-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64 as a component of Service Telemetry Framework 1.5 for RHEL 8",
"product_id": "8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64"
},
"product_reference": "stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"relates_to_product_reference": "8Base-STF-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64 as a component of Service Telemetry Framework 1.5 for RHEL 8",
"product_id": "8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
},
"product_reference": "stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64",
"relates_to_product_reference": "8Base-STF-1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1705",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107374"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating \"chunked\" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: improper sanitization of Transfer-Encoding header",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"category": "external",
"summary": "RHBZ#2107374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705"
},
{
"category": "external",
"summary": "https://go.dev/issue/53188",
"url": "https://go.dev/issue/53188"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: improper sanitization of Transfer-Encoding header"
},
{
"cve": "CVE-2022-23772",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2022-02-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2053532"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the big package of the math library in golang. The Rat.SetString could cause an overflow, and if left unhandled, it could lead to excessive memory use. This issue could allow a remote attacker to impact the availability of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux 8 and 9 are affected, because the code-base is affected by this vulnerability.\n\nRed Hat Product Security has rated this issue as having Moderate security impact, and the issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7, hence, marked as Out-of-Support-Scope. \n\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle \u0026 Updates Policy: https://access.redhat.com/support/policy/updates/errata/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23772"
},
{
"category": "external",
"summary": "RHBZ#2053532",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053532"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23772",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23772"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23772",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23772"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ",
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
}
],
"release_date": "2022-01-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString"
},
{
"cve": "CVE-2022-23773",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2022-02-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2053541"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the go package of the cmd library in golang. The go command could be tricked into accepting a branch, which resembles a version tag. This issue could allow a remote unauthenticated attacker to bypass security restrictions and introduce invalid or incorrect tags, reducing the integrity of the environment.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: cmd/go: misinterpretation of branch names can lead to incorrect access control",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23773"
},
{
"category": "external",
"summary": "RHBZ#2053541",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053541"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23773",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23773"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23773",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23773"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ",
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
}
],
"release_date": "2022-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: cmd/go: misinterpretation of branch names can lead to incorrect access control"
},
{
"cve": "CVE-2022-23806",
"cwe": {
"id": "CWE-252",
"name": "Unchecked Return Value"
},
"discovery_date": "2022-02-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2053429"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/elliptic: IsOnCurve returns true for invalid field elements",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux 8 and 9 are affected because the code-base is affected by this vulnerability.\n\nRed Hat Product Security has rated this issue as having a Moderate security impact. The issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7; hence, marked as Out-of-Support-Scope. \n\nRed Hat Developer Tools - Compilers (go-toolset-1.16 \u0026 1.17), will not be addressed in future updates as shipped only in RHEL-7, hence, marked as Out-of-Support-Scope.\n\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle \u0026 Updates Policy: https://access.redhat.com/support/policy/updates/errata/.\n\nThe vulnerability lies in the crypto/elliptic: IsOnCurve taking in negative and invalid forms of data input and resulting in a panic, the resulting invalid data input is also resulting in data sinks in other functions such as marshall that handle elliptic curve cryptography by converting points on an elliptic curve into a binary format for storage or transmission and scalarmult which provides scalar multiplication, all three function takes in invalid forms of data and results in a crash, although the main culprit being isoncurve function, considering the attack complexity being high as the data that reaches the vulnerable function could already be stripped of negative sign and the resultant successful exploitation only leading to a panic/crash the vulnerability has been rated as Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23806"
},
{
"category": "external",
"summary": "RHBZ#2053429",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053429"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23806",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23806"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23806",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23806"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ",
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
}
],
"release_date": "2022-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/elliptic: IsOnCurve returns true for invalid field elements"
},
{
"cve": "CVE-2022-24675",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"discovery_date": "2022-04-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2077688"
}
],
"notes": [
{
"category": "description",
"text": "A buffer overflow flaw was found in Golang\u0027s library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB), causing a stack overflow in Decode, which leads to a loss of availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: encoding/pem: fix stack overflow in Decode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux 7, 8 and 9 are affected, because the code-base is affected by this vulnerability.\n\nRed Hat Product Security has rated this issue as having Moderate security impact, and the issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7, hence, marked as Out-of-Support-Scope.\n\nRed Hat Developer Tools - Compilers (go-toolset-1.16-golang \u0026 go-toolset-1.17-golang), ships the vulnerable code and affected by this vulnerability.\n\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle \u0026 Updates Policy: https://access.redhat.com/support/policy/updates/errata/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24675"
},
{
"category": "external",
"summary": "RHBZ#2077688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2077688"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24675",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24675"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24675",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24675"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8",
"url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8"
}
],
"release_date": "2022-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: encoding/pem: fix stack overflow in Decode"
},
{
"cve": "CVE-2022-27664",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124669"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: handle server errors after sending GOAWAY",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "RHBZ#2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
},
{
"category": "external",
"summary": "https://go.dev/issue/54658",
"url": "https://go.dev/issue/54658"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: handle server errors after sending GOAWAY"
},
{
"cve": "CVE-2022-28327",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2022-04-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2077689"
}
],
"notes": [
{
"category": "description",
"text": "An integer overflow flaw was found in Golang\u0027s crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/elliptic: panic caused by oversized scalar",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A moderate severity flaw was found in Go\u2019s crypto/elliptic package in the generic P-256 implementation. If a scalar input longer than 32 bytes is supplied, P256().ScalarMult or P256().ScalarBaseMult can panic, causing the application to crash. Indirect uses via crypto/ecdsa and crypto/tls are not affected. This issue impacts availability but does not affect confidentiality or integrity. Only certain platforms (non-amd64, non-arm64, non-ppc64le, non-s390x) may be affected.\n\nRed Hat Enterprise Linux 7, 8 and 9 are affected, because the code-base is affected by this vulnerability.\n\nRed Hat Product Security has rated this issue as having Moderate security impact, and the issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7, hence, marked as Out-of-Support-Scope. \n\nRed Hat Developer Tools - Compilers (go-toolset-1.16-golang \u0026 go-toolset-1.17-golang), ships the vulnerable code and affected by this vulnerability.\n\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle \u0026 Updates Policy: https://access.redhat.com/support/policy/updates/errata/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-28327"
},
{
"category": "external",
"summary": "RHBZ#2077689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2077689"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-28327",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28327"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-28327",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28327"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8",
"url": "https://groups.google.com/g/golang-announce/c/oecdBNLOml8"
}
],
"release_date": "2022-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/elliptic: panic caused by oversized scalar"
},
{
"acknowledgments": [
{
"names": [
"Jo\u00ebl G\u00e4hwiler"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-29526",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2022-05-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2084085"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file\u0027s group, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: syscall: faccessat checks wrong group",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29526"
},
{
"category": "external",
"summary": "RHBZ#2084085",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084085"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29526",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29526"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU",
"url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU"
}
],
"release_date": "2022-05-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: syscall: faccessat checks wrong group"
},
{
"cve": "CVE-2022-30629",
"cwe": {
"id": "CWE-331",
"name": "Insufficient Entropy"
},
"discovery_date": "2022-06-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2092793"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: session tickets lack random ticket_age_add",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30629"
},
{
"category": "external",
"summary": "RHBZ#2092793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092793"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30629"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30629",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30629"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg",
"url": "https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg"
}
],
"release_date": "2022-06-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: crypto/tls: session tickets lack random ticket_age_add"
},
{
"cve": "CVE-2022-30630",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107371"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: io/fs: stack exhaustion in Glob",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "RH ProdSec has set the Impact of this vulnerability to Moderate as there is no known method to execute arbitary code. Successful exploitation of this bug can cause the application under attack to panic, merely causing a Denial of Service at the application level. As the kernel is unaffected by this bug, the user can merely relaunch the application to fix the problem. Also, if somehow the application keeps relaunching, the timer watchdogs in the default RHEL kernel will stop the attack in its tracks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"category": "external",
"summary": "RHBZ#2107371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107371"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630"
},
{
"category": "external",
"summary": "https://go.dev/issue/53415",
"url": "https://go.dev/issue/53415"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: io/fs: stack exhaustion in Glob"
},
{
"cve": "CVE-2022-30631",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: compress/gzip: stack exhaustion in Reader.Read",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit CVE-2022-30631, an attacker supplies a specially crafted gzip archive to a Go application that uses a vulnerable version of the compress/gzip package without adequate input validation. This can lead to uncontrolled recursion, resulting in stack exhaustion and causing the application to panic, thereby affecting its availability.\n\nAs this is merely a DoS and there is no known way to control the instruction pointer, RH ProdSec has set the impact of this vulnerabilty to \"Moderate\".",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"category": "external",
"summary": "RHBZ#2107342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30631",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30631"
},
{
"category": "external",
"summary": "https://go.dev/issue/53168",
"url": "https://go.dev/issue/53168"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: compress/gzip: stack exhaustion in Reader.Read"
},
{
"cve": "CVE-2022-30632",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107386"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: path/filepath: stack exhaustion in Glob",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The exploitation of this flaw will only result in a denial of service of the application via the application crashing which is why this has been rated as moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"category": "external",
"summary": "RHBZ#2107386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30632",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30632"
},
{
"category": "external",
"summary": "https://go.dev/issue/53416",
"url": "https://go.dev/issue/53416"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: path/filepath: stack exhaustion in Glob"
},
{
"cve": "CVE-2022-32189",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-08-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2113814"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw stems from a particular and specific method (GoBDecode) which isn\u0027t commonly used. There are few components within Red Hat offerings which call this function. In rare cases where this method is called, the component limits possible damage or it is not possible to be triggered by an attacker. For these combined reasons the impact has been downgraded to Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-32189"
},
{
"category": "external",
"summary": "RHBZ#2113814",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113814"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189"
},
{
"category": "external",
"summary": "https://go.dev/issue/53871",
"url": "https://go.dev/issue/53871"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU",
"url": "https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU"
}
],
"release_date": "2022-08-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"known_not_affected": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-30T00:42:39+00:00",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1529"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-STF-1.5:stf/prometheus-webhook-snmp-rhel8@sha256:a53c3dc5955a72913788a3eeda32f725b2f5ef6e893022cc358f20414eb5074f_amd64",
"8Base-STF-1.5:stf/service-telemetry-operator-bundle@sha256:617009676fbc385e222f144f79819b2cdcdafb28ae8674a53cdf8676f69d3717_amd64",
"8Base-STF-1.5:stf/service-telemetry-rhel8-operator@sha256:f71352691d5e680eb09a67ef2e7208a40a10a0b781b451150ced7408dfc603d0_amd64",
"8Base-STF-1.5:stf/sg-bridge-rhel8@sha256:d42174e8f6fbc91666ee2d78483f362f4de3f0ea551ea6d2bf310dadb1b5ba28_amd64",
"8Base-STF-1.5:stf/sg-core-rhel8@sha256:f3ac213d5ff7470ad8a9175fa699033c5c2ee7cd6cf5eb5f4e081de00e94cd37_amd64",
"8Base-STF-1.5:stf/smart-gateway-operator-bundle@sha256:08209b33986a186c90ec84140c833fdd892358583d3a7cb8c73f4732fe210546_amd64",
"8Base-STF-1.5:stf/smart-gateway-rhel8-operator@sha256:9ea6481e460623bd551f5facb1d8cee105103ad380a32cb3efcc0714b60db471_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
}
]
}
RHSA-2023:2167
Vulnerability from csaf_redhat - Published: 2023-05-09 09:50 - Updated: 2026-05-28 20:28Summary
Red Hat Security Advisory: grafana security and enhancement update
Severity
Moderate
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)
* grafana: using email as a username can block other users from signing in (CVE-2022-39229)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the grafana package. Auth proxy allows authentication of a user by only providing the username (or email) in an X-WEBAUTH-USER HTTP header. The trust assumption is that a front proxy will take care of authentication and that the Grafana server is only publicly reachable with this front proxy.
6.6 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Grafana web application. When a user logs into the system, either the username or email address can be used. However, the login system allows both a username and connected email to be registered, which could allow an attacker to prevent a user which has an associated email address access.
4.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
37 references
Acknowledgments
Head of Research, Oxeye
Daniel Abeles
Security Researcher, Oxeye
Gal Goldstein
ADA Logics
Adam Korczynski
OSS-Fuzz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\n* grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)\n\n* grafana: using email as a username can block other users from signing in (CVE-2022-39229)\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:2167",
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index"
},
{
"category": "external",
"summary": "2095421",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095421"
},
{
"category": "external",
"summary": "2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "2125514",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2125514"
},
{
"category": "external",
"summary": "2127218",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127218"
},
{
"category": "external",
"summary": "2131149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131149"
},
{
"category": "external",
"summary": "2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2167.json"
}
],
"title": "Red Hat Security Advisory: grafana security and enhancement update",
"tracking": {
"current_release_date": "2026-05-28T20:28:28+00:00",
"generator": {
"date": "2026-05-28T20:28:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:2167",
"initial_release_date": "2023-05-09T09:50:53+00:00",
"revision_history": [
{
"date": "2023-05-09T09:50:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-09T09:50:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:28:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.src",
"product": {
"name": "grafana-0:9.0.9-2.el9.src",
"product_id": "grafana-0:9.0.9-2.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.aarch64",
"product": {
"name": "grafana-0:9.0.9-2.el9.aarch64",
"product_id": "grafana-0:9.0.9-2.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-2.el9.aarch64",
"product": {
"name": "grafana-debugsource-0:9.0.9-2.el9.aarch64",
"product_id": "grafana-debugsource-0:9.0.9-2.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-2.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"product": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"product_id": "grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-2.el9?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.ppc64le",
"product": {
"name": "grafana-0:9.0.9-2.el9.ppc64le",
"product_id": "grafana-0:9.0.9-2.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"product": {
"name": "grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"product_id": "grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-2.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"product": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"product_id": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-2.el9?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.x86_64",
"product": {
"name": "grafana-0:9.0.9-2.el9.x86_64",
"product_id": "grafana-0:9.0.9-2.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-2.el9.x86_64",
"product": {
"name": "grafana-debugsource-0:9.0.9-2.el9.x86_64",
"product_id": "grafana-debugsource-0:9.0.9-2.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-2.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"product": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"product_id": "grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-2.el9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.s390x",
"product": {
"name": "grafana-0:9.0.9-2.el9.s390x",
"product_id": "grafana-0:9.0.9-2.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-2.el9.s390x",
"product": {
"name": "grafana-debugsource-0:9.0.9-2.el9.s390x",
"product_id": "grafana-debugsource-0:9.0.9-2.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-2.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-2.el9.s390x",
"product": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.s390x",
"product_id": "grafana-debuginfo-0:9.0.9-2.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-2.el9?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64"
},
"product_reference": "grafana-0:9.0.9-2.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le"
},
"product_reference": "grafana-0:9.0.9-2.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x"
},
"product_reference": "grafana-0:9.0.9-2.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src"
},
"product_reference": "grafana-0:9.0.9-2.el9.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64"
},
"product_reference": "grafana-0:9.0.9-2.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64"
},
"product_reference": "grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le"
},
"product_reference": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x"
},
"product_reference": "grafana-debuginfo-0:9.0.9-2.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64"
},
"product_reference": "grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-2.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64"
},
"product_reference": "grafana-debugsource-0:9.0.9-2.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-2.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le"
},
"product_reference": "grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-2.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x"
},
"product_reference": "grafana-debugsource-0:9.0.9-2.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-2.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
},
"product_reference": "grafana-debugsource-0:9.0.9-2.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Daniel Abeles"
],
"organization": "Head of Research, Oxeye"
},
{
"names": [
"Gal Goldstein"
],
"organization": "Security Researcher, Oxeye"
}
],
"cve": "CVE-2022-2880",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132868"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"category": "external",
"summary": "RHBZ#2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54663",
"url": "https://github.com/golang/go/issues/54663"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters"
},
{
"cve": "CVE-2022-27664",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124669"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: handle server errors after sending GOAWAY",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "RHBZ#2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
},
{
"category": "external",
"summary": "https://go.dev/issue/54658",
"url": "https://go.dev/issue/54658"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: handle server errors after sending GOAWAY"
},
{
"cve": "CVE-2022-35957",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2022-09-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2125514"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the grafana package. Auth proxy allows authentication of a user by only providing the username (or email) in an X-WEBAUTH-USER HTTP header. The trust assumption is that a front proxy will take care of authentication and that the Grafana server is only publicly reachable with this front proxy.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Escalation from admin to server admin when auth proxy is used",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35957"
},
{
"category": "external",
"summary": "RHBZ#2125514",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2125514"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35957",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35957"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35957",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35957"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Escalation from admin to server admin when auth proxy is used"
},
{
"cve": "CVE-2022-39229",
"discovery_date": "2022-09-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2131149"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana web application. When a user logs into the system, either the username or email address can be used. However, the login system allows both a username and connected email to be registered, which could allow an attacker to prevent a user which has an associated email address access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: using email as a username can block other users from signing in",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39229"
},
{
"category": "external",
"summary": "RHBZ#2131149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39229",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39229"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39229",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39229"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: using email as a username can block other users from signing in"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
}
]
}
RHSA-2023:2204
Vulnerability from csaf_redhat - Published: 2023-05-09 10:11 - Updated: 2026-05-28 20:28Summary
Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update
Severity
Moderate
Notes
Topic: An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Security Fix(es):
* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
6.5 (Medium)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch | — |
Threats
Impact
Moderate
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
7.5 (High)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch | — |
Threats
Impact
Moderate
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
6.5 (Medium)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch | — |
Threats
Impact
Moderate
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch | — |
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-0:81-1.el9.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch | — | ||
| Unresolved product id: AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch | — |
Threats
Impact
Moderate
References
52 references
Acknowledgments
ADA Logics
Adam Korczynski
OSS-Fuzz
Head of Research, Oxeye
Daniel Abeles
Security Researcher, Oxeye
Gal Goldstein
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.\n\nSecurity Fix(es):\n\n* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:2204",
"url": "https://access.redhat.com/errata/RHSA-2023:2204"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index"
},
{
"category": "external",
"summary": "2119980",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119980"
},
{
"category": "external",
"summary": "2122843",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2122843"
},
{
"category": "external",
"summary": "2123373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2123373"
},
{
"category": "external",
"summary": "2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "2125249",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2125249"
},
{
"category": "external",
"summary": "2132250",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132250"
},
{
"category": "external",
"summary": "2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2136504",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136504"
},
{
"category": "external",
"summary": "2137364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137364"
},
{
"category": "external",
"summary": "2139645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139645"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2164560",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164560"
},
{
"category": "external",
"summary": "2174158",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174158"
},
{
"category": "external",
"summary": "2177699",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177699"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2204.json"
}
],
"title": "Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2026-05-28T20:28:31+00:00",
"generator": {
"date": "2026-05-28T20:28:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:2204",
"initial_release_date": "2023-05-09T10:11:21+00:00",
"revision_history": [
{
"date": "2023-05-09T10:11:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-09T10:11:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:28:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-1.el9.src",
"product": {
"name": "weldr-client-0:35.9-1.el9.src",
"product_id": "weldr-client-0:35.9-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-1.el9?arch=src"
}
}
},
{
"category": "product_version",
"name": "osbuild-0:81-1.el9.src",
"product": {
"name": "osbuild-0:81-1.el9.src",
"product_id": "osbuild-0:81-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild@81-1.el9?arch=src"
}
}
},
{
"category": "product_version",
"name": "cockpit-composer-0:45-1.el9_2.src",
"product": {
"name": "cockpit-composer-0:45-1.el9_2.src",
"product_id": "cockpit-composer-0:45-1.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cockpit-composer@45-1.el9_2?arch=src"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:76-2.el9_2.src",
"product": {
"name": "osbuild-composer-0:76-2.el9_2.src",
"product_id": "osbuild-composer-0:76-2.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@76-2.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-1.el9.aarch64",
"product": {
"name": "weldr-client-0:35.9-1.el9.aarch64",
"product_id": "weldr-client-0:35.9-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debugsource-0:35.9-1.el9.aarch64",
"product": {
"name": "weldr-client-debugsource-0:35.9-1.el9.aarch64",
"product_id": "weldr-client-debugsource-0:35.9-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debugsource@35.9-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"product": {
"name": "weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"product_id": "weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debuginfo@35.9-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"product": {
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"product_id": "weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-tests-debuginfo@35.9-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@76-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-core-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-core-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@76-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-dnf-json@76-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-worker-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-worker-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@76-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@76-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@76-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@76-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@76-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"product_id": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@76-2.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-1.el9.ppc64le",
"product": {
"name": "weldr-client-0:35.9-1.el9.ppc64le",
"product_id": "weldr-client-0:35.9-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"product": {
"name": "weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"product_id": "weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debugsource@35.9-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"product": {
"name": "weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"product_id": "weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debuginfo@35.9-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"product": {
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"product_id": "weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-tests-debuginfo@35.9-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@76-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-core-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-core-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@76-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-dnf-json@76-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@76-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@76-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@76-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@76-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@76-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"product_id": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@76-2.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-1.el9.x86_64",
"product": {
"name": "weldr-client-0:35.9-1.el9.x86_64",
"product_id": "weldr-client-0:35.9-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debugsource-0:35.9-1.el9.x86_64",
"product": {
"name": "weldr-client-debugsource-0:35.9-1.el9.x86_64",
"product_id": "weldr-client-debugsource-0:35.9-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debugsource@35.9-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"product": {
"name": "weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"product_id": "weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debuginfo@35.9-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64",
"product": {
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64",
"product_id": "weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-tests-debuginfo@35.9-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@76-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-core-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-core-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@76-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-dnf-json@76-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-worker-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-worker-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@76-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@76-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@76-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@76-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@76-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"product_id": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@76-2.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-1.el9.s390x",
"product": {
"name": "weldr-client-0:35.9-1.el9.s390x",
"product_id": "weldr-client-0:35.9-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debugsource-0:35.9-1.el9.s390x",
"product": {
"name": "weldr-client-debugsource-0:35.9-1.el9.s390x",
"product_id": "weldr-client-debugsource-0:35.9-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debugsource@35.9-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debuginfo-0:35.9-1.el9.s390x",
"product": {
"name": "weldr-client-debuginfo-0:35.9-1.el9.s390x",
"product_id": "weldr-client-debuginfo-0:35.9-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debuginfo@35.9-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"product": {
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"product_id": "weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-tests-debuginfo@35.9-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@76-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@76-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@76-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@76-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@76-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-core-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-core-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@76-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-dnf-json@76-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-worker-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-worker-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@76-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"product": {
"name": "osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"product_id": "osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@76-2.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-0:81-1.el9.noarch",
"product": {
"name": "osbuild-0:81-1.el9.noarch",
"product_id": "osbuild-0:81-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild@81-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-luks2-0:81-1.el9.noarch",
"product": {
"name": "osbuild-luks2-0:81-1.el9.noarch",
"product_id": "osbuild-luks2-0:81-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-luks2@81-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-lvm2-0:81-1.el9.noarch",
"product": {
"name": "osbuild-lvm2-0:81-1.el9.noarch",
"product_id": "osbuild-lvm2-0:81-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-lvm2@81-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-ostree-0:81-1.el9.noarch",
"product": {
"name": "osbuild-ostree-0:81-1.el9.noarch",
"product_id": "osbuild-ostree-0:81-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-ostree@81-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-selinux-0:81-1.el9.noarch",
"product": {
"name": "osbuild-selinux-0:81-1.el9.noarch",
"product_id": "osbuild-selinux-0:81-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-selinux@81-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python3-osbuild-0:81-1.el9.noarch",
"product": {
"name": "python3-osbuild-0:81-1.el9.noarch",
"product_id": "python3-osbuild-0:81-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-osbuild@81-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "cockpit-composer-0:45-1.el9_2.noarch",
"product": {
"name": "cockpit-composer-0:45-1.el9_2.noarch",
"product_id": "cockpit-composer-0:45-1.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cockpit-composer@45-1.el9_2?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-composer-0:45-1.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch"
},
"product_reference": "cockpit-composer-0:45-1.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-composer-0:45-1.el9_2.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src"
},
"product_reference": "cockpit-composer-0:45-1.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-0:81-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch"
},
"product_reference": "osbuild-0:81-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-0:81-1.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-0:81-1.el9.src"
},
"product_reference": "osbuild-0:81-1.el9.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:76-2.el9_2.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src"
},
"product_reference": "osbuild-composer-0:76-2.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-core-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-core-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-core-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-core-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-dnf-json-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-worker-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-worker-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-worker-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-luks2-0:81-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch"
},
"product_reference": "osbuild-luks2-0:81-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-lvm2-0:81-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch"
},
"product_reference": "osbuild-lvm2-0:81-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-ostree-0:81-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch"
},
"product_reference": "osbuild-ostree-0:81-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-selinux-0:81-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch"
},
"product_reference": "osbuild-selinux-0:81-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-osbuild-0:81-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
},
"product_reference": "python3-osbuild-0:81-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64"
},
"product_reference": "weldr-client-0:35.9-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le"
},
"product_reference": "weldr-client-0:35.9-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x"
},
"product_reference": "weldr-client-0:35.9-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-1.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src"
},
"product_reference": "weldr-client-0:35.9-1.el9.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64"
},
"product_reference": "weldr-client-0:35.9-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debuginfo-0:35.9-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64"
},
"product_reference": "weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debuginfo-0:35.9-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le"
},
"product_reference": "weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debuginfo-0:35.9-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x"
},
"product_reference": "weldr-client-debuginfo-0:35.9-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debuginfo-0:35.9-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64"
},
"product_reference": "weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debugsource-0:35.9-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64"
},
"product_reference": "weldr-client-debugsource-0:35.9-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debugsource-0:35.9-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le"
},
"product_reference": "weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debugsource-0:35.9-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x"
},
"product_reference": "weldr-client-debugsource-0:35.9-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debugsource-0:35.9-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64"
},
"product_reference": "weldr-client-debugsource-0:35.9-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64"
},
"product_reference": "weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le"
},
"product_reference": "weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x"
},
"product_reference": "weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
},
"product_reference": "weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-2879",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132867"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.\n\n\nThis flaw additionally affects the github.com/vbatts/tar-split library and was fixed in v0.12.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"known_not_affected": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2879"
},
{
"category": "external",
"summary": "RHBZ#2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54853",
"url": "https://github.com/golang/go/issues/54853"
},
{
"category": "external",
"summary": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1",
"url": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:11:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers"
},
{
"acknowledgments": [
{
"names": [
"Daniel Abeles"
],
"organization": "Head of Research, Oxeye"
},
{
"names": [
"Gal Goldstein"
],
"organization": "Security Researcher, Oxeye"
}
],
"cve": "CVE-2022-2880",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132868"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"known_not_affected": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"category": "external",
"summary": "RHBZ#2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54663",
"url": "https://github.com/golang/go/issues/54663"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:11:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters"
},
{
"cve": "CVE-2022-27664",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124669"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: handle server errors after sending GOAWAY",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"known_not_affected": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "RHBZ#2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
},
{
"category": "external",
"summary": "https://go.dev/issue/54658",
"url": "https://go.dev/issue/54658"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:11:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: handle server errors after sending GOAWAY"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"known_not_affected": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:11:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"known_not_affected": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:11:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.noarch",
"AppStream-9.2.0.GA:cockpit-composer-0:45-1.el9_2.src",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-0:81-1.el9.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.src",
"AppStream-9.2.0.GA:osbuild-composer-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-core-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-debugsource-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-dnf-json-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-tests-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.aarch64",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.s390x",
"AppStream-9.2.0.GA:osbuild-composer-worker-debuginfo-0:76-2.el9_2.x86_64",
"AppStream-9.2.0.GA:osbuild-luks2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-lvm2-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-ostree-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:osbuild-selinux-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:python3-osbuild-0:81-1.el9.noarch",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.src",
"AppStream-9.2.0.GA:weldr-client-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debuginfo-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-debugsource-0:35.9-1.el9.x86_64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.aarch64",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.ppc64le",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.s390x",
"AppStream-9.2.0.GA:weldr-client-tests-debuginfo-0:35.9-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
}
]
}
RHSA-2023:2357
Vulnerability from csaf_redhat - Published: 2023-05-09 10:03 - Updated: 2026-05-28 20:28Summary
Red Hat Security Advisory: git-lfs security and bug fix update
Severity
Moderate
Notes
Topic: An update for git-lfs is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.
Security Fix(es):
* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
73 references
Acknowledgments
Head of Research, Oxeye
Daniel Abeles
Security Researcher, Oxeye
Gal Goldstein
ADA Logics
Adam Korczynski
OSS-Fuzz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for git-lfs is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:2357",
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index"
},
{
"category": "external",
"summary": "2107371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107371"
},
{
"category": "external",
"summary": "2107374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107374"
},
{
"category": "external",
"summary": "2107383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107383"
},
{
"category": "external",
"summary": "2107386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107386"
},
{
"category": "external",
"summary": "2107388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107388"
},
{
"category": "external",
"summary": "2113814",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113814"
},
{
"category": "external",
"summary": "2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2139383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139383"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2357.json"
}
],
"title": "Red Hat Security Advisory: git-lfs security and bug fix update",
"tracking": {
"current_release_date": "2026-05-28T20:28:29+00:00",
"generator": {
"date": "2026-05-28T20:28:29+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:2357",
"initial_release_date": "2023-05-09T10:03:05+00:00",
"revision_history": [
{
"date": "2023-05-09T10:03:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-09T10:03:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:28:29+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.2.0-1.el9.src",
"product": {
"name": "git-lfs-0:3.2.0-1.el9.src",
"product_id": "git-lfs-0:3.2.0-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.2.0-1.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.2.0-1.el9.aarch64",
"product": {
"name": "git-lfs-0:3.2.0-1.el9.aarch64",
"product_id": "git-lfs-0:3.2.0-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.2.0-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"product": {
"name": "git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"product_id": "git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.2.0-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"product": {
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"product_id": "git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.2.0-1.el9?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.2.0-1.el9.ppc64le",
"product": {
"name": "git-lfs-0:3.2.0-1.el9.ppc64le",
"product_id": "git-lfs-0:3.2.0-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.2.0-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"product": {
"name": "git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"product_id": "git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.2.0-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"product": {
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"product_id": "git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.2.0-1.el9?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.2.0-1.el9.x86_64",
"product": {
"name": "git-lfs-0:3.2.0-1.el9.x86_64",
"product_id": "git-lfs-0:3.2.0-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.2.0-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.2.0-1.el9.x86_64",
"product": {
"name": "git-lfs-debugsource-0:3.2.0-1.el9.x86_64",
"product_id": "git-lfs-debugsource-0:3.2.0-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.2.0-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"product": {
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"product_id": "git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.2.0-1.el9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-lfs-0:3.2.0-1.el9.s390x",
"product": {
"name": "git-lfs-0:3.2.0-1.el9.s390x",
"product_id": "git-lfs-0:3.2.0-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs@3.2.0-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"product": {
"name": "git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"product_id": "git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debugsource@3.2.0-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"product": {
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"product_id": "git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@3.2.0-1.el9?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.2.0-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64"
},
"product_reference": "git-lfs-0:3.2.0-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.2.0-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le"
},
"product_reference": "git-lfs-0:3.2.0-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.2.0-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x"
},
"product_reference": "git-lfs-0:3.2.0-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.2.0-1.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src"
},
"product_reference": "git-lfs-0:3.2.0-1.el9.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-0:3.2.0-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64"
},
"product_reference": "git-lfs-0:3.2.0-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64"
},
"product_reference": "git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le"
},
"product_reference": "git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x"
},
"product_reference": "git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debuginfo-0:3.2.0-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64"
},
"product_reference": "git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.2.0-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64"
},
"product_reference": "git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.2.0-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le"
},
"product_reference": "git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.2.0-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x"
},
"product_reference": "git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-lfs-debugsource-0:3.2.0-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
},
"product_reference": "git-lfs-debugsource-0:3.2.0-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1705",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107374"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating \"chunked\" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: improper sanitization of Transfer-Encoding header",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"category": "external",
"summary": "RHBZ#2107374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705"
},
{
"category": "external",
"summary": "https://go.dev/issue/53188",
"url": "https://go.dev/issue/53188"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: improper sanitization of Transfer-Encoding header"
},
{
"acknowledgments": [
{
"names": [
"Daniel Abeles"
],
"organization": "Head of Research, Oxeye"
},
{
"names": [
"Gal Goldstein"
],
"organization": "Security Researcher, Oxeye"
}
],
"cve": "CVE-2022-2880",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132868"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"category": "external",
"summary": "RHBZ#2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54663",
"url": "https://github.com/golang/go/issues/54663"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters"
},
{
"cve": "CVE-2022-27664",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124669"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: handle server errors after sending GOAWAY",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "RHBZ#2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
},
{
"category": "external",
"summary": "https://go.dev/issue/54658",
"url": "https://go.dev/issue/54658"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: handle server errors after sending GOAWAY"
},
{
"cve": "CVE-2022-30630",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107371"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: io/fs: stack exhaustion in Glob",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "RH ProdSec has set the Impact of this vulnerability to Moderate as there is no known method to execute arbitary code. Successful exploitation of this bug can cause the application under attack to panic, merely causing a Denial of Service at the application level. As the kernel is unaffected by this bug, the user can merely relaunch the application to fix the problem. Also, if somehow the application keeps relaunching, the timer watchdogs in the default RHEL kernel will stop the attack in its tracks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"category": "external",
"summary": "RHBZ#2107371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107371"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630"
},
{
"category": "external",
"summary": "https://go.dev/issue/53415",
"url": "https://go.dev/issue/53415"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: io/fs: stack exhaustion in Glob"
},
{
"cve": "CVE-2022-30632",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107386"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: path/filepath: stack exhaustion in Glob",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The exploitation of this flaw will only result in a denial of service of the application via the application crashing which is why this has been rated as moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"category": "external",
"summary": "RHBZ#2107386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30632",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30632"
},
{
"category": "external",
"summary": "https://go.dev/issue/53416",
"url": "https://go.dev/issue/53416"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: path/filepath: stack exhaustion in Glob"
},
{
"cve": "CVE-2022-30635",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107388"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: encoding/gob: stack exhaustion in Decoder.Decode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) starting from 4.10 stream is already compiled in the patched version of Go, hence is not affected by this vulnerability.The vulnerability has been rated as moderate instead of high because the vulnerability can only result in a minor denial of service.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30635"
},
{
"category": "external",
"summary": "RHBZ#2107388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30635",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30635"
},
{
"category": "external",
"summary": "https://go.dev/issue/53615",
"url": "https://go.dev/issue/53615"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: encoding/gob: stack exhaustion in Decoder.Decode"
},
{
"cve": "CVE-2022-32148",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2107383"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"category": "external",
"summary": "RHBZ#2107383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148"
},
{
"category": "external",
"summary": "https://go.dev/issue/53423",
"url": "https://go.dev/issue/53423"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
}
],
"release_date": "2022-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working"
},
{
"cve": "CVE-2022-32189",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2113814"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw stems from a particular and specific method (GoBDecode) which isn\u0027t commonly used. There are few components within Red Hat offerings which call this function. In rare cases where this method is called, the component limits possible damage or it is not possible to be triggered by an attacker. For these combined reasons the impact has been downgraded to Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-32189"
},
{
"category": "external",
"summary": "RHBZ#2113814",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113814"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189"
},
{
"category": "external",
"summary": "https://go.dev/issue/53871",
"url": "https://go.dev/issue/53871"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU",
"url": "https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU"
}
],
"release_date": "2022-08-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:03:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2357"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.src",
"AppStream-9.2.0.GA:git-lfs-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debuginfo-0:3.2.0-1.el9.x86_64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.aarch64",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.ppc64le",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.s390x",
"AppStream-9.2.0.GA:git-lfs-debugsource-0:3.2.0-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
}
]
}
RHSA-2023:2592
Vulnerability from csaf_redhat - Published: 2023-05-09 10:04 - Updated: 2026-05-28 20:28Summary
Red Hat Security Advisory: golang-github-cpuguy83-md2man security, bug fix, and enhancement update
Severity
Moderate
Notes
Topic: An update for golang-github-cpuguy83-md2man is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: go-md2man converts markdown into roff (man pages).
Security Fix(es):
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
13 references
Acknowledgments
ADA Logics
Adam Korczynski
OSS-Fuzz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang-github-cpuguy83-md2man is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "go-md2man converts markdown into roff (man pages).\n\nSecurity Fix(es):\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:2592",
"url": "https://access.redhat.com/errata/RHSA-2023:2592"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index"
},
{
"category": "external",
"summary": "2037812",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2037812"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2149240",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149240"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2592.json"
}
],
"title": "Red Hat Security Advisory: golang-github-cpuguy83-md2man security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2026-05-28T20:28:30+00:00",
"generator": {
"date": "2026-05-28T20:28:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:2592",
"initial_release_date": "2023-05-09T10:04:01+00:00",
"revision_history": [
{
"date": "2023-05-09T10:04:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-09T10:04:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:28:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux CRB (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::crb"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src",
"product": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src",
"product_id": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man@2.0.2-4.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64",
"product": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64",
"product_id": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man@2.0.2-4.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64",
"product": {
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64",
"product_id": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man-debugsource@2.0.2-4.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64",
"product": {
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64",
"product_id": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man-debuginfo@2.0.2-4.el9?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le",
"product": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le",
"product_id": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man@2.0.2-4.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le",
"product": {
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le",
"product_id": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man-debugsource@2.0.2-4.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le",
"product": {
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le",
"product_id": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man-debuginfo@2.0.2-4.el9?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64",
"product": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64",
"product_id": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man@2.0.2-4.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64",
"product": {
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64",
"product_id": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man-debugsource@2.0.2-4.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64",
"product": {
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64",
"product_id": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man-debuginfo@2.0.2-4.el9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x",
"product": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x",
"product_id": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man@2.0.2-4.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x",
"product": {
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x",
"product_id": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man-debugsource@2.0.2-4.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x",
"product": {
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x",
"product_id": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-github-cpuguy83-md2man-debuginfo@2.0.2-4.el9?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64 as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64"
},
"product_reference": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le"
},
"product_reference": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x"
},
"product_reference": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src"
},
"product_reference": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64 as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64"
},
"product_reference": "golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64 as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64"
},
"product_reference": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le"
},
"product_reference": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x"
},
"product_reference": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64 as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64"
},
"product_reference": "golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64 as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64"
},
"product_reference": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le"
},
"product_reference": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x"
},
"product_reference": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x",
"relates_to_product_reference": "CRB-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64 as a component of Red Hat Enterprise Linux CRB (v. 9)",
"product_id": "CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64"
},
"product_reference": "golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64",
"relates_to_product_reference": "CRB-9.2.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T10:04:01+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2592"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.src",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-0:2.0.2-4.el9.x86_64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debuginfo-0:2.0.2-4.el9.x86_64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.aarch64",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.ppc64le",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.s390x",
"CRB-9.2.0.GA:golang-github-cpuguy83-md2man-debugsource-0:2.0.2-4.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
}
]
}
RHSA-2023:2780
Vulnerability from csaf_redhat - Published: 2023-05-16 08:57 - Updated: 2026-05-28 20:28Summary
Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update
Severity
Moderate
Notes
Topic: An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Security Fix(es):
* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
6.5 (Medium)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch | — |
Threats
Impact
Moderate
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
7.5 (High)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch | — |
Threats
Impact
Moderate
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
6.5 (Medium)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch | — |
Threats
Impact
Moderate
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch | — |
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
54 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-0:81-1.el8.src | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch | — | ||
| Unresolved product id: AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch | — |
Threats
Impact
Moderate
References
49 references
Acknowledgments
ADA Logics
Adam Korczynski
OSS-Fuzz
Head of Research, Oxeye
Daniel Abeles
Security Researcher, Oxeye
Gal Goldstein
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.\n\nSecurity Fix(es):\n\n* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:2780",
"url": "https://access.redhat.com/errata/RHSA-2023:2780"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index"
},
{
"category": "external",
"summary": "2033192",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033192"
},
{
"category": "external",
"summary": "2063126",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063126"
},
{
"category": "external",
"summary": "2072834",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072834"
},
{
"category": "external",
"summary": "2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "2132254",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132254"
},
{
"category": "external",
"summary": "2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "2136503",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136503"
},
{
"category": "external",
"summary": "2139721",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139721"
},
{
"category": "external",
"summary": "2141738",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141738"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2168666",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168666"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2780.json"
}
],
"title": "Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2026-05-28T20:28:40+00:00",
"generator": {
"date": "2026-05-28T20:28:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:2780",
"initial_release_date": "2023-05-16T08:57:22+00:00",
"revision_history": [
{
"date": "2023-05-16T08:57:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-16T08:57:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:28:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-2.el8.src",
"product": {
"name": "weldr-client-0:35.9-2.el8.src",
"product_id": "weldr-client-0:35.9-2.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-2.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:75-1.el8.src",
"product": {
"name": "osbuild-composer-0:75-1.el8.src",
"product_id": "osbuild-composer-0:75-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@75-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "osbuild-0:81-1.el8.src",
"product": {
"name": "osbuild-0:81-1.el8.src",
"product_id": "osbuild-0:81-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild@81-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "cockpit-composer-0:45-1.el8_8.src",
"product": {
"name": "cockpit-composer-0:45-1.el8_8.src",
"product_id": "cockpit-composer-0:45-1.el8_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cockpit-composer@45-1.el8_8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-2.el8.aarch64",
"product": {
"name": "weldr-client-0:35.9-2.el8.aarch64",
"product_id": "weldr-client-0:35.9-2.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-2.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debugsource-0:35.9-2.el8.aarch64",
"product": {
"name": "weldr-client-debugsource-0:35.9-2.el8.aarch64",
"product_id": "weldr-client-debugsource-0:35.9-2.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debugsource@35.9-2.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"product": {
"name": "weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"product_id": "weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debuginfo@35.9-2.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"product": {
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"product_id": "weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-tests-debuginfo@35.9-2.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@75-1.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-core-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-core-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@75-1.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-dnf-json@75-1.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-worker-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-worker-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@75-1.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-debugsource-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-debugsource-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@75-1.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@75-1.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@75-1.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@75-1.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"product_id": "osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@75-1.el8?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-2.el8.ppc64le",
"product": {
"name": "weldr-client-0:35.9-2.el8.ppc64le",
"product_id": "weldr-client-0:35.9-2.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-2.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"product": {
"name": "weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"product_id": "weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debugsource@35.9-2.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"product": {
"name": "weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"product_id": "weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debuginfo@35.9-2.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"product": {
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"product_id": "weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-tests-debuginfo@35.9-2.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@75-1.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-core-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-core-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@75-1.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-dnf-json@75-1.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-worker-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-worker-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@75-1.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@75-1.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@75-1.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@75-1.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@75-1.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"product_id": "osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@75-1.el8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-2.el8.x86_64",
"product": {
"name": "weldr-client-0:35.9-2.el8.x86_64",
"product_id": "weldr-client-0:35.9-2.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-2.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debugsource-0:35.9-2.el8.x86_64",
"product": {
"name": "weldr-client-debugsource-0:35.9-2.el8.x86_64",
"product_id": "weldr-client-debugsource-0:35.9-2.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debugsource@35.9-2.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"product": {
"name": "weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"product_id": "weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debuginfo@35.9-2.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64",
"product": {
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64",
"product_id": "weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-tests-debuginfo@35.9-2.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@75-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@75-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@75-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@75-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-core-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-core-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@75-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-dnf-json@75-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-worker-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-worker-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@75-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-debugsource-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-debugsource-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@75-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"product": {
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"product_id": "osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@75-1.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "weldr-client-0:35.9-2.el8.s390x",
"product": {
"name": "weldr-client-0:35.9-2.el8.s390x",
"product_id": "weldr-client-0:35.9-2.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client@35.9-2.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debugsource-0:35.9-2.el8.s390x",
"product": {
"name": "weldr-client-debugsource-0:35.9-2.el8.s390x",
"product_id": "weldr-client-debugsource-0:35.9-2.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debugsource@35.9-2.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "weldr-client-debuginfo-0:35.9-2.el8.s390x",
"product": {
"name": "weldr-client-debuginfo-0:35.9-2.el8.s390x",
"product_id": "weldr-client-debuginfo-0:35.9-2.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-debuginfo@35.9-2.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"product": {
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"product_id": "weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/weldr-client-tests-debuginfo@35.9-2.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-0:75-1.el8.s390x",
"product_id": "osbuild-composer-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@75-1.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-core-0:75-1.el8.s390x",
"product_id": "osbuild-composer-core-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@75-1.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-dnf-json-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-dnf-json-0:75-1.el8.s390x",
"product_id": "osbuild-composer-dnf-json-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-dnf-json@75-1.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-worker-0:75-1.el8.s390x",
"product_id": "osbuild-composer-worker-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@75-1.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-debugsource-0:75-1.el8.s390x",
"product_id": "osbuild-composer-debugsource-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@75-1.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"product_id": "osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@75-1.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-debuginfo-0:75-1.el8.s390x",
"product_id": "osbuild-composer-debuginfo-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@75-1.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"product_id": "osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@75-1.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"product_id": "osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@75-1.el8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-0:81-1.el8.noarch",
"product": {
"name": "osbuild-0:81-1.el8.noarch",
"product_id": "osbuild-0:81-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild@81-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-luks2-0:81-1.el8.noarch",
"product": {
"name": "osbuild-luks2-0:81-1.el8.noarch",
"product_id": "osbuild-luks2-0:81-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-luks2@81-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-lvm2-0:81-1.el8.noarch",
"product": {
"name": "osbuild-lvm2-0:81-1.el8.noarch",
"product_id": "osbuild-lvm2-0:81-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-lvm2@81-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-ostree-0:81-1.el8.noarch",
"product": {
"name": "osbuild-ostree-0:81-1.el8.noarch",
"product_id": "osbuild-ostree-0:81-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-ostree@81-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-selinux-0:81-1.el8.noarch",
"product": {
"name": "osbuild-selinux-0:81-1.el8.noarch",
"product_id": "osbuild-selinux-0:81-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-selinux@81-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python3-osbuild-0:81-1.el8.noarch",
"product": {
"name": "python3-osbuild-0:81-1.el8.noarch",
"product_id": "python3-osbuild-0:81-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-osbuild@81-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "cockpit-composer-0:45-1.el8_8.noarch",
"product": {
"name": "cockpit-composer-0:45-1.el8_8.noarch",
"product_id": "cockpit-composer-0:45-1.el8_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cockpit-composer@45-1.el8_8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-composer-0:45-1.el8_8.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch"
},
"product_reference": "cockpit-composer-0:45-1.el8_8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-composer-0:45-1.el8_8.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src"
},
"product_reference": "cockpit-composer-0:45-1.el8_8.src",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-0:81-1.el8.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch"
},
"product_reference": "osbuild-0:81-1.el8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-0:81-1.el8.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-0:81-1.el8.src"
},
"product_reference": "osbuild-0:81-1.el8.src",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:75-1.el8.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src"
},
"product_reference": "osbuild-composer-0:75-1.el8.src",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-core-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-core-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-core-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-core-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-debuginfo-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-debugsource-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-debugsource-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-debugsource-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-dnf-json-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-dnf-json-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-dnf-json-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-dnf-json-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-dnf-json-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-worker-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-worker-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-worker-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-worker-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-luks2-0:81-1.el8.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch"
},
"product_reference": "osbuild-luks2-0:81-1.el8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-lvm2-0:81-1.el8.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch"
},
"product_reference": "osbuild-lvm2-0:81-1.el8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-ostree-0:81-1.el8.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch"
},
"product_reference": "osbuild-ostree-0:81-1.el8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-selinux-0:81-1.el8.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch"
},
"product_reference": "osbuild-selinux-0:81-1.el8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-osbuild-0:81-1.el8.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
},
"product_reference": "python3-osbuild-0:81-1.el8.noarch",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-2.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64"
},
"product_reference": "weldr-client-0:35.9-2.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-2.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le"
},
"product_reference": "weldr-client-0:35.9-2.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-2.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x"
},
"product_reference": "weldr-client-0:35.9-2.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-2.el8.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src"
},
"product_reference": "weldr-client-0:35.9-2.el8.src",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-0:35.9-2.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64"
},
"product_reference": "weldr-client-0:35.9-2.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debuginfo-0:35.9-2.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64"
},
"product_reference": "weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debuginfo-0:35.9-2.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le"
},
"product_reference": "weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debuginfo-0:35.9-2.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x"
},
"product_reference": "weldr-client-debuginfo-0:35.9-2.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debuginfo-0:35.9-2.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64"
},
"product_reference": "weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debugsource-0:35.9-2.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64"
},
"product_reference": "weldr-client-debugsource-0:35.9-2.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debugsource-0:35.9-2.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le"
},
"product_reference": "weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debugsource-0:35.9-2.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x"
},
"product_reference": "weldr-client-debugsource-0:35.9-2.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-debugsource-0:35.9-2.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64"
},
"product_reference": "weldr-client-debugsource-0:35.9-2.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64"
},
"product_reference": "weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le"
},
"product_reference": "weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x"
},
"product_reference": "weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"relates_to_product_reference": "AppStream-8.8.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
},
"product_reference": "weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-2879",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132867"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.\n\n\nThis flaw additionally affects the github.com/vbatts/tar-split library and was fixed in v0.12.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"known_not_affected": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2879"
},
{
"category": "external",
"summary": "RHBZ#2132867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54853",
"url": "https://github.com/golang/go/issues/54853"
},
{
"category": "external",
"summary": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1",
"url": "https://github.com/vbatts/tar-split/releases/tag/v0.12.1"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-16T08:57:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2780"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers"
},
{
"acknowledgments": [
{
"names": [
"Daniel Abeles"
],
"organization": "Head of Research, Oxeye"
},
{
"names": [
"Gal Goldstein"
],
"organization": "Security Researcher, Oxeye"
}
],
"cve": "CVE-2022-2880",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132868"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"known_not_affected": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"category": "external",
"summary": "RHBZ#2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54663",
"url": "https://github.com/golang/go/issues/54663"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-16T08:57:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2780"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters"
},
{
"cve": "CVE-2022-27664",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124669"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: handle server errors after sending GOAWAY",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"known_not_affected": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "RHBZ#2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
},
{
"category": "external",
"summary": "https://go.dev/issue/54658",
"url": "https://go.dev/issue/54658"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-16T08:57:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2780"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: handle server errors after sending GOAWAY"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"known_not_affected": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-16T08:57:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2780"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"known_not_affected": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-16T08:57:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2780"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.noarch",
"AppStream-8.8.0.GA:cockpit-composer-0:45-1.el8_8.src",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-0:81-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.src",
"AppStream-8.8.0.GA:osbuild-composer-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-core-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-debugsource-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-dnf-json-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-tests-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.aarch64",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.ppc64le",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.s390x",
"AppStream-8.8.0.GA:osbuild-composer-worker-debuginfo-0:75-1.el8.x86_64",
"AppStream-8.8.0.GA:osbuild-luks2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-lvm2-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-ostree-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:osbuild-selinux-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:python3-osbuild-0:81-1.el8.noarch",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.src",
"AppStream-8.8.0.GA:weldr-client-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debuginfo-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-debugsource-0:35.9-2.el8.x86_64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.aarch64",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.ppc64le",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.s390x",
"AppStream-8.8.0.GA:weldr-client-tests-debuginfo-0:35.9-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…