Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-22871 (GCVE-0-2025-22871)
Vulnerability from cvelistv5 – Published: 2025-04-08 20:04 – Updated: 2026-05-12 12:04
VLAI
EPSS
Title
Request smuggling due to acceptance of invalid chunked data in net/http
Summary
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http/internal |
Affected:
0 , < 1.23.8
(semver)
Affected: 1.24.0-0 , < 1.24.2 (semver) |
|
| Siemens | SENTRON 7KT PAC1261 Data Manager |
Affected:
0 , < V2.1.0
(custom)
|
Credits
Jeppe Bonde Weikop
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-04-08T21:03:21.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/04/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T14:57:03.151639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T14:57:31.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SENTRON 7KT PAC1261 Data Manager",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V2.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:04:11.015Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-783943.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http/internal",
"product": "net/http/internal",
"programRoutines": [
{
"name": "readChunkLine"
},
{
"name": "chunkedReader.Read"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.23.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.24.2",
"status": "affected",
"version": "1.24.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jeppe Bonde Weikop"
}
],
"descriptions": [
{
"lang": "en",
"value": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T20:04:34.769Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/652998"
},
{
"url": "https://go.dev/issue/71988"
},
{
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"title": "Request smuggling due to acceptance of invalid chunked data in net/http"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-22871",
"datePublished": "2025-04-08T20:04:34.769Z",
"dateReserved": "2025-01-08T19:11:42.834Z",
"dateUpdated": "2026-05-12T12:04:11.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-22871",
"date": "2026-06-05",
"epss": "0.00294",
"percentile": "0.5301"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-22871\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2025-04-08T20:15:20.183\",\"lastModified\":\"2026-05-12T13:16:39.897\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.\"},{\"lang\":\"es\",\"value\":\"El paquete net/http acepta incorrectamente un LF simple como terminador de l\u00ednea en l\u00edneas de datos fragmentados. Esto puede permitir el contrabando de solicitudes si se utiliza un servidor net/http junto con un servidor que acepta incorrectamente un LF simple como parte de una extensi\u00f3n fragmentada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"references\":[{\"url\":\"https://go.dev/cl/652998\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/issue/71988\",\"source\":\"security@golang.org\"},{\"url\":\"https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk\",\"source\":\"security@golang.org\"},{\"url\":\"https://pkg.go.dev/vuln/GO-2025-3563\",\"source\":\"security@golang.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/04/04/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-783943.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/04/04/4\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-04-08T21:03:21.913Z\"}}, {\"affected\": [{\"vendor\": \"Siemens\", \"product\": \"SENTRON 7KT PAC1261 Data Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V2.1.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"x_adpType\": \"supplier\", \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-783943.html\"}], \"providerMetadata\": {\"orgId\": \"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\", \"shortName\": \"siemens-SADP\", \"dateUpdated\": \"2026-05-12T12:04:11.015Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22871\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-18T14:57:03.151639Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-18T14:57:25.000Z\"}}], \"cna\": {\"title\": \"Request smuggling due to acceptance of invalid chunked data in net/http\", \"credits\": [{\"lang\": \"en\", \"value\": \"Jeppe Bonde Weikop\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"net/http/internal\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.23.8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.24.0-0\", \"lessThan\": \"1.24.2\", \"versionType\": \"semver\"}], \"packageName\": \"net/http/internal\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"readChunkLine\"}, {\"name\": \"chunkedReader.Read\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/652998\"}, {\"url\": \"https://go.dev/issue/71988\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2025-3563\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2025-04-08T20:04:34.769Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-22871\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-12T12:04:11.015Z\", \"dateReserved\": \"2025-01-08T19:11:42.834Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2025-04-08T20:04:34.769Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2025:8680
Vulnerability from csaf_redhat - Published: 2025-06-09 14:11 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
* grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect (CVE-2025-4123)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious websites. This attack can be carried out without requiring elevated privileges if anonymous access is enabled.
7.6 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
18 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\n* grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect (CVE-2025-4123)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8680",
"url": "https://access.redhat.com/errata/RHSA-2025:8680"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "2364632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364632"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8680.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:43+00:00",
"generator": {
"date": "2026-05-28T20:49:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8680",
"initial_release_date": "2025-06-09T14:11:50+00:00",
"revision_history": [
{
"date": "2025-06-09T14:11:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-09T14:11:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-8.el9_2.src",
"product": {
"name": "grafana-0:9.0.9-8.el9_2.src",
"product_id": "grafana-0:9.0.9-8.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-8.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-8.el9_2.aarch64",
"product": {
"name": "grafana-0:9.0.9-8.el9_2.aarch64",
"product_id": "grafana-0:9.0.9-8.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-8.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"product": {
"name": "grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"product_id": "grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-8.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"product": {
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"product_id": "grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-8.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-8.el9_2.ppc64le",
"product": {
"name": "grafana-0:9.0.9-8.el9_2.ppc64le",
"product_id": "grafana-0:9.0.9-8.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-8.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"product": {
"name": "grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"product_id": "grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-8.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"product": {
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"product_id": "grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-8.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-8.el9_2.x86_64",
"product": {
"name": "grafana-0:9.0.9-8.el9_2.x86_64",
"product_id": "grafana-0:9.0.9-8.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-8.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-8.el9_2.x86_64",
"product": {
"name": "grafana-debugsource-0:9.0.9-8.el9_2.x86_64",
"product_id": "grafana-debugsource-0:9.0.9-8.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-8.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"product": {
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"product_id": "grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-8.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-8.el9_2.s390x",
"product": {
"name": "grafana-0:9.0.9-8.el9_2.s390x",
"product_id": "grafana-0:9.0.9-8.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-8.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"product": {
"name": "grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"product_id": "grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-8.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"product": {
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"product_id": "grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-8.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-8.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64"
},
"product_reference": "grafana-0:9.0.9-8.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-8.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le"
},
"product_reference": "grafana-0:9.0.9-8.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-8.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x"
},
"product_reference": "grafana-0:9.0.9-8.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-8.el9_2.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src"
},
"product_reference": "grafana-0:9.0.9-8.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-8.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64"
},
"product_reference": "grafana-0:9.0.9-8.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64"
},
"product_reference": "grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le"
},
"product_reference": "grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x"
},
"product_reference": "grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-8.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64"
},
"product_reference": "grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-8.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64"
},
"product_reference": "grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-8.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le"
},
"product_reference": "grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-8.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x"
},
"product_reference": "grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-8.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
},
"product_reference": "grafana-debugsource-0:9.0.9-8.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-4123",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-05-07T07:34:59.603000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2364632"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana\u0027s custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious websites. This attack can be carried out without requiring elevated privileges if anonymous access is enabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Grafana vulnerability is Important due to its low exploitation barrier and high impact. Unlike typical XSS flaws, it can be triggered without authentication if anonymous access is enabled\u2014a common setup in shared dashboards. It arises from improper handling of user-supplied paths in custom frontend plugins, leading to XSS and open redirect. When combined with the Grafana Image Renderer plugin, it enables full-read SSRF, exposing internal services and cloud metadata. This makes it a high-severity issue with serious real-world implications, especially in misconfigured or publicly exposed Grafana instances.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-4123"
},
{
"category": "external",
"summary": "RHBZ#2364632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364632"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-4123",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4123"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4123",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4123"
},
{
"category": "external",
"summary": "https://grafana.com/grafana/plugins/instana-datasource/?tab=changelog",
"url": "https://grafana.com/grafana/plugins/instana-datasource/?tab=changelog"
}
],
"release_date": "2025-05-15T03:49:32.464000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-09T14:11:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8680"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect"
},
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-09T14:11:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8680"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.src",
"AppStream-9.2.0.Z.E4S:grafana-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debuginfo-0:9.0.9-8.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:grafana-debugsource-0:9.0.9-8.el9_2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
RHSA-2025:8682
Vulnerability from csaf_redhat - Published: 2025-06-09 14:22 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: grafana security update
Severity
Moderate
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8682",
"url": "https://access.redhat.com/errata/RHSA-2025:8682"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8682.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:44+00:00",
"generator": {
"date": "2026-05-28T20:49:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8682",
"initial_release_date": "2025-06-09T14:22:44+00:00",
"revision_history": [
{
"date": "2025-06-09T14:22:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-09T14:22:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-14.el9_6.src",
"product": {
"name": "grafana-0:10.2.6-14.el9_6.src",
"product_id": "grafana-0:10.2.6-14.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-14.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-14.el9_6.aarch64",
"product": {
"name": "grafana-0:10.2.6-14.el9_6.aarch64",
"product_id": "grafana-0:10.2.6-14.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-14.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-14.el9_6.aarch64",
"product": {
"name": "grafana-selinux-0:10.2.6-14.el9_6.aarch64",
"product_id": "grafana-selinux-0:10.2.6-14.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-14.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-14.el9_6.aarch64",
"product": {
"name": "grafana-debugsource-0:10.2.6-14.el9_6.aarch64",
"product_id": "grafana-debugsource-0:10.2.6-14.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-14.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.aarch64",
"product": {
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.aarch64",
"product_id": "grafana-debuginfo-0:10.2.6-14.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-14.el9_6?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-14.el9_6.ppc64le",
"product": {
"name": "grafana-0:10.2.6-14.el9_6.ppc64le",
"product_id": "grafana-0:10.2.6-14.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-14.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-14.el9_6.ppc64le",
"product": {
"name": "grafana-selinux-0:10.2.6-14.el9_6.ppc64le",
"product_id": "grafana-selinux-0:10.2.6-14.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-14.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-14.el9_6.ppc64le",
"product": {
"name": "grafana-debugsource-0:10.2.6-14.el9_6.ppc64le",
"product_id": "grafana-debugsource-0:10.2.6-14.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-14.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le",
"product": {
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le",
"product_id": "grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-14.el9_6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-14.el9_6.x86_64",
"product": {
"name": "grafana-0:10.2.6-14.el9_6.x86_64",
"product_id": "grafana-0:10.2.6-14.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-14.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-14.el9_6.x86_64",
"product": {
"name": "grafana-selinux-0:10.2.6-14.el9_6.x86_64",
"product_id": "grafana-selinux-0:10.2.6-14.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-14.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-14.el9_6.x86_64",
"product": {
"name": "grafana-debugsource-0:10.2.6-14.el9_6.x86_64",
"product_id": "grafana-debugsource-0:10.2.6-14.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-14.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.x86_64",
"product": {
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.x86_64",
"product_id": "grafana-debuginfo-0:10.2.6-14.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-14.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:10.2.6-14.el9_6.s390x",
"product": {
"name": "grafana-0:10.2.6-14.el9_6.s390x",
"product_id": "grafana-0:10.2.6-14.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@10.2.6-14.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:10.2.6-14.el9_6.s390x",
"product": {
"name": "grafana-selinux-0:10.2.6-14.el9_6.s390x",
"product_id": "grafana-selinux-0:10.2.6-14.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@10.2.6-14.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:10.2.6-14.el9_6.s390x",
"product": {
"name": "grafana-debugsource-0:10.2.6-14.el9_6.s390x",
"product_id": "grafana-debugsource-0:10.2.6-14.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@10.2.6-14.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.s390x",
"product": {
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.s390x",
"product_id": "grafana-debuginfo-0:10.2.6-14.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@10.2.6-14.el9_6?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-14.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.aarch64"
},
"product_reference": "grafana-0:10.2.6-14.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-14.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.ppc64le"
},
"product_reference": "grafana-0:10.2.6-14.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-14.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.s390x"
},
"product_reference": "grafana-0:10.2.6-14.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-14.el9_6.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.src"
},
"product_reference": "grafana-0:10.2.6-14.el9_6.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:10.2.6-14.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.x86_64"
},
"product_reference": "grafana-0:10.2.6-14.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.aarch64"
},
"product_reference": "grafana-debuginfo-0:10.2.6-14.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le"
},
"product_reference": "grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.s390x"
},
"product_reference": "grafana-debuginfo-0:10.2.6-14.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:10.2.6-14.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.x86_64"
},
"product_reference": "grafana-debuginfo-0:10.2.6-14.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-14.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.aarch64"
},
"product_reference": "grafana-debugsource-0:10.2.6-14.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-14.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.ppc64le"
},
"product_reference": "grafana-debugsource-0:10.2.6-14.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-14.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.s390x"
},
"product_reference": "grafana-debugsource-0:10.2.6-14.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:10.2.6-14.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.x86_64"
},
"product_reference": "grafana-debugsource-0:10.2.6-14.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-14.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.aarch64"
},
"product_reference": "grafana-selinux-0:10.2.6-14.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-14.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.ppc64le"
},
"product_reference": "grafana-selinux-0:10.2.6-14.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-14.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.s390x"
},
"product_reference": "grafana-selinux-0:10.2.6-14.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:10.2.6-14.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.x86_64"
},
"product_reference": "grafana-selinux-0:10.2.6-14.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-09T14:22:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8682"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debuginfo-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-debugsource-0:10.2.6-14.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-selinux-0:10.2.6-14.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
RHSA-2025:8685
Vulnerability from csaf_redhat - Published: 2025-06-09 13:44 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
* grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect (CVE-2025-4123)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Grafana's custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious websites. This attack can be carried out without requiring elevated privileges if anonymous access is enabled.
7.6 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
18 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\n* grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect (CVE-2025-4123)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8685",
"url": "https://access.redhat.com/errata/RHSA-2025:8685"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "2364632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364632"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8685.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:44+00:00",
"generator": {
"date": "2026-05-28T20:49:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8685",
"initial_release_date": "2025-06-09T13:44:39+00:00",
"revision_history": [
{
"date": "2025-06-09T13:44:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-09T13:44:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.8::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:7.5.15-7.el8_8.src",
"product": {
"name": "grafana-0:7.5.15-7.el8_8.src",
"product_id": "grafana-0:7.5.15-7.el8_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@7.5.15-7.el8_8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:7.5.15-7.el8_8.ppc64le",
"product": {
"name": "grafana-0:7.5.15-7.el8_8.ppc64le",
"product_id": "grafana-0:7.5.15-7.el8_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@7.5.15-7.el8_8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"product": {
"name": "grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"product_id": "grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@7.5.15-7.el8_8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:7.5.15-7.el8_8.x86_64",
"product": {
"name": "grafana-0:7.5.15-7.el8_8.x86_64",
"product_id": "grafana-0:7.5.15-7.el8_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@7.5.15-7.el8_8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"product": {
"name": "grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"product_id": "grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@7.5.15-7.el8_8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.5.15-7.el8_8.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le"
},
"product_reference": "grafana-0:7.5.15-7.el8_8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.5.15-7.el8_8.src as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src"
},
"product_reference": "grafana-0:7.5.15-7.el8_8.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.5.15-7.el8_8.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64"
},
"product_reference": "grafana-0:7.5.15-7.el8_8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le"
},
"product_reference": "grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:7.5.15-7.el8_8.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
},
"product_reference": "grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.5.15-7.el8_8.src as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src"
},
"product_reference": "grafana-0:7.5.15-7.el8_8.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.5.15-7.el8_8.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64"
},
"product_reference": "grafana-0:7.5.15-7.el8_8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:7.5.15-7.el8_8.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
},
"product_reference": "grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-4123",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-05-07T07:34:59.603000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2364632"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana\u0027s custom frontend plugin handling. This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by exploiting a client path traversal and an open redirect issue, leading to arbitrary JavaScript execution and potential user redirection to malicious websites. This attack can be carried out without requiring elevated privileges if anonymous access is enabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Grafana vulnerability is Important due to its low exploitation barrier and high impact. Unlike typical XSS flaws, it can be triggered without authentication if anonymous access is enabled\u2014a common setup in shared dashboards. It arises from improper handling of user-supplied paths in custom frontend plugins, leading to XSS and open redirect. When combined with the Grafana Image Renderer plugin, it enables full-read SSRF, exposing internal services and cloud metadata. This makes it a high-severity issue with serious real-world implications, especially in misconfigured or publicly exposed Grafana instances.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-4123"
},
{
"category": "external",
"summary": "RHBZ#2364632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364632"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-4123",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4123"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4123",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4123"
},
{
"category": "external",
"summary": "https://grafana.com/grafana/plugins/instana-datasource/?tab=changelog",
"url": "https://grafana.com/grafana/plugins/instana-datasource/?tab=changelog"
}
],
"release_date": "2025-05-15T03:49:32.464000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-09T13:44:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8685"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect"
},
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-09T13:44:39+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8685"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.E4S:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.ppc64le",
"AppStream-8.8.0.Z.E4S:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.src",
"AppStream-8.8.0.Z.TUS:grafana-0:7.5.15-7.el8_8.x86_64",
"AppStream-8.8.0.Z.TUS:grafana-debuginfo-0:7.5.15-7.el8_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
RHSA-2025:8689
Vulnerability from csaf_redhat - Published: 2025-06-09 14:35 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: golang security update
Severity
Moderate
Notes
Topic: An update for golang is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The golang packages provide the Go programming language compiler.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-9.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-9.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-9.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-9.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8689",
"url": "https://access.redhat.com/errata/RHSA-2025:8689"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8689.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:46+00:00",
"generator": {
"date": "2026-05-28T20:49:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8689",
"initial_release_date": "2025-06-09T14:35:25+00:00",
"revision_history": [
{
"date": "2025-06-09T14:35:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-09T14:35:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-9.el9_4.aarch64",
"product": {
"name": "go-toolset-0:1.21.13-9.el9_4.aarch64",
"product_id": "go-toolset-0:1.21.13-9.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-9.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-9.el9_4.aarch64",
"product": {
"name": "golang-0:1.21.13-9.el9_4.aarch64",
"product_id": "golang-0:1.21.13-9.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-9.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-9.el9_4.aarch64",
"product": {
"name": "golang-bin-0:1.21.13-9.el9_4.aarch64",
"product_id": "golang-bin-0:1.21.13-9.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-9.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-9.el9_4.ppc64le",
"product": {
"name": "go-toolset-0:1.21.13-9.el9_4.ppc64le",
"product_id": "go-toolset-0:1.21.13-9.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-9.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-9.el9_4.ppc64le",
"product": {
"name": "golang-0:1.21.13-9.el9_4.ppc64le",
"product_id": "golang-0:1.21.13-9.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-9.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-9.el9_4.ppc64le",
"product": {
"name": "golang-bin-0:1.21.13-9.el9_4.ppc64le",
"product_id": "golang-bin-0:1.21.13-9.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-9.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-9.el9_4.x86_64",
"product": {
"name": "go-toolset-0:1.21.13-9.el9_4.x86_64",
"product_id": "go-toolset-0:1.21.13-9.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-9.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-9.el9_4.x86_64",
"product": {
"name": "golang-0:1.21.13-9.el9_4.x86_64",
"product_id": "golang-0:1.21.13-9.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-9.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-9.el9_4.x86_64",
"product": {
"name": "golang-bin-0:1.21.13-9.el9_4.x86_64",
"product_id": "golang-bin-0:1.21.13-9.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-9.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-9.el9_4.s390x",
"product": {
"name": "go-toolset-0:1.21.13-9.el9_4.s390x",
"product_id": "go-toolset-0:1.21.13-9.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-9.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-9.el9_4.s390x",
"product": {
"name": "golang-0:1.21.13-9.el9_4.s390x",
"product_id": "golang-0:1.21.13-9.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-9.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-9.el9_4.s390x",
"product": {
"name": "golang-bin-0:1.21.13-9.el9_4.s390x",
"product_id": "golang-bin-0:1.21.13-9.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-9.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.21.13-9.el9_4.src",
"product": {
"name": "golang-0:1.21.13-9.el9_4.src",
"product_id": "golang-0:1.21.13-9.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-9.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.21.13-9.el9_4.noarch",
"product": {
"name": "golang-docs-0:1.21.13-9.el9_4.noarch",
"product_id": "golang-docs-0:1.21.13-9.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.21.13-9.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.21.13-9.el9_4.noarch",
"product": {
"name": "golang-misc-0:1.21.13-9.el9_4.noarch",
"product_id": "golang-misc-0:1.21.13-9.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.21.13-9.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.21.13-9.el9_4.noarch",
"product": {
"name": "golang-src-0:1.21.13-9.el9_4.noarch",
"product_id": "golang-src-0:1.21.13-9.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.21.13-9.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.21.13-9.el9_4.noarch",
"product": {
"name": "golang-tests-0:1.21.13-9.el9_4.noarch",
"product_id": "golang-tests-0:1.21.13-9.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.21.13-9.el9_4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-9.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.aarch64"
},
"product_reference": "go-toolset-0:1.21.13-9.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-9.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.ppc64le"
},
"product_reference": "go-toolset-0:1.21.13-9.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-9.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.s390x"
},
"product_reference": "go-toolset-0:1.21.13-9.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-9.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.x86_64"
},
"product_reference": "go-toolset-0:1.21.13-9.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-9.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.aarch64"
},
"product_reference": "golang-0:1.21.13-9.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-9.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.ppc64le"
},
"product_reference": "golang-0:1.21.13-9.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-9.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.s390x"
},
"product_reference": "golang-0:1.21.13-9.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-9.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.src"
},
"product_reference": "golang-0:1.21.13-9.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-9.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.x86_64"
},
"product_reference": "golang-0:1.21.13-9.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-9.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.aarch64"
},
"product_reference": "golang-bin-0:1.21.13-9.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-9.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.ppc64le"
},
"product_reference": "golang-bin-0:1.21.13-9.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-9.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.s390x"
},
"product_reference": "golang-bin-0:1.21.13-9.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-9.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.x86_64"
},
"product_reference": "golang-bin-0:1.21.13-9.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.21.13-9.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-9.el9_4.noarch"
},
"product_reference": "golang-docs-0:1.21.13-9.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.21.13-9.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-9.el9_4.noarch"
},
"product_reference": "golang-misc-0:1.21.13-9.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.21.13-9.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-9.el9_4.noarch"
},
"product_reference": "golang-src-0:1.21.13-9.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.21.13-9.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-9.el9_4.noarch"
},
"product_reference": "golang-tests-0:1.21.13-9.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-9.el9_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-09T14:35:25+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-9.el9_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8689"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-9.el9_4.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-9.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-9.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-9.el9_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
RHSA-2025:8691
Vulnerability from csaf_redhat - Published: 2025-06-09 14:26 - Updated: 2026-06-06 07:17Summary
Red Hat Security Advisory: RHSA: Submariner 0.20.1 - bug fix and enhancement update
Severity
Important
Notes
Topic: Submariner 0.20 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.13
Details: Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud.
For more information about Submariner, see the Submariner open source community website at: https://submariner.io/.
This advisory contains bug fixes and enhancements to the Submariner container images.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Security fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
* golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
36 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the golang-jwt implementation of JSON Web Tokens (JWT). In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an application crash, leading to a denial of service.
7.5 (High)
Affected products
Fixed
36 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Submariner 0.20 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.13",
"title": "Topic"
},
{
"category": "general",
"text": "Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud.\n\nFor more information about Submariner, see the Submariner open source community website at: https://submariner.io/.\n\nThis advisory contains bug fixes and enhancements to the Submariner container images.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE links in the References section.\n\nSecurity fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n* golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8691",
"url": "https://access.redhat.com/errata/RHSA-2025:8691"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2354195",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354195"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "ACM-20580",
"url": "https://issues.redhat.com/browse/ACM-20580"
},
{
"category": "external",
"summary": "HYPBLD-664",
"url": "https://issues.redhat.com/browse/HYPBLD-664"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8691.json"
}
],
"title": "Red Hat Security Advisory: RHSA: Submariner 0.20.1 - bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-06T07:17:39+00:00",
"generator": {
"date": "2026-06-06T07:17:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:8691",
"initial_release_date": "2025-06-09T14:26:17+00:00",
"revision_history": [
{
"date": "2025-06-09T14:26:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-09T14:26:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-06T07:17:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product": {
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:acm:2.13::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat ACM"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"product": {
"name": "rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"product_id": "rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/lighthouse-agent-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"product": {
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"product_id": "rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/lighthouse-coredns-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"product": {
"name": "rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"product_id": "rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/nettest-rhel9\u0026tag=v0.20.1-4"
}
}
},
{
"category": "product_version",
"name": "rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"product": {
"name": "rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"product_id": "rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/subctl-rhel9\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"product": {
"name": "rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"product_id": "rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/submariner-gateway-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"product": {
"name": "rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"product_id": "rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/submariner-globalnet-rhel9\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"product": {
"name": "rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"product_id": "rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/submariner-operator-bundle\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"product": {
"name": "rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"product_id": "rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/submariner-rhel9-operator\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"product": {
"name": "rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"product_id": "rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/submariner-route-agent-rhel9\u0026tag=v0.20.1-2"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"product": {
"name": "rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"product_id": "rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"product_identification_helper": {
"purl": "pkg:oci/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/lighthouse-agent-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"product": {
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"product_id": "rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"product_identification_helper": {
"purl": "pkg:oci/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/lighthouse-coredns-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"product": {
"name": "rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"product_id": "rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/nettest-rhel9\u0026tag=v0.20.1-4"
}
}
},
{
"category": "product_version",
"name": "rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"product": {
"name": "rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"product_id": "rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"product_identification_helper": {
"purl": "pkg:oci/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/subctl-rhel9\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"product": {
"name": "rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"product_id": "rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"product_identification_helper": {
"purl": "pkg:oci/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/submariner-gateway-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"product": {
"name": "rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"product_id": "rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"product_identification_helper": {
"purl": "pkg:oci/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/submariner-globalnet-rhel9\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"product": {
"name": "rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"product_id": "rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/submariner-operator-bundle\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"product": {
"name": "rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"product_id": "rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/submariner-rhel9-operator\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x",
"product": {
"name": "rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x",
"product_id": "rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x",
"product_identification_helper": {
"purl": "pkg:oci/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/submariner-route-agent-rhel9\u0026tag=v0.20.1-2"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"product": {
"name": "rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"product_id": "rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/lighthouse-agent-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"product": {
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"product_id": "rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"product_identification_helper": {
"purl": "pkg:oci/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/lighthouse-coredns-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"product": {
"name": "rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"product_id": "rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/nettest-rhel9\u0026tag=v0.20.1-4"
}
}
},
{
"category": "product_version",
"name": "rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"product": {
"name": "rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"product_id": "rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/subctl-rhel9\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"product": {
"name": "rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"product_id": "rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/submariner-gateway-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"product": {
"name": "rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"product_id": "rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/submariner-globalnet-rhel9\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"product": {
"name": "rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"product_id": "rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/submariner-operator-bundle\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"product": {
"name": "rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"product_id": "rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/submariner-rhel9-operator\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"product": {
"name": "rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"product_id": "rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/submariner-route-agent-rhel9\u0026tag=v0.20.1-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"product": {
"name": "rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"product_id": "rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"product_identification_helper": {
"purl": "pkg:oci/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/lighthouse-agent-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"product": {
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"product_id": "rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"product_identification_helper": {
"purl": "pkg:oci/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/lighthouse-coredns-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"product": {
"name": "rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"product_id": "rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"product_identification_helper": {
"purl": "pkg:oci/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/nettest-rhel9\u0026tag=v0.20.1-4"
}
}
},
{
"category": "product_version",
"name": "rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"product": {
"name": "rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"product_id": "rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/subctl-rhel9\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"product": {
"name": "rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"product_id": "rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/submariner-gateway-rhel9\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"product": {
"name": "rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"product_id": "rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/submariner-globalnet-rhel9\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"product": {
"name": "rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"product_id": "rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/submariner-operator-bundle\u0026tag=v0.20.1-1"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"product": {
"name": "rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"product_id": "rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/submariner-rhel9-operator\u0026tag=v0.20.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"product": {
"name": "rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"product_id": "rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"product_identification_helper": {
"purl": "pkg:oci/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/submariner-route-agent-rhel9\u0026tag=v0.20.1-2"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x"
},
"product_reference": "rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64"
},
"product_reference": "rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le"
},
"product_reference": "rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64"
},
"product_reference": "rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64"
},
"product_reference": "rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le"
},
"product_reference": "rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x"
},
"product_reference": "rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64"
},
"product_reference": "rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le"
},
"product_reference": "rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64"
},
"product_reference": "rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64"
},
"product_reference": "rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x"
},
"product_reference": "rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64"
},
"product_reference": "rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x"
},
"product_reference": "rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le"
},
"product_reference": "rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64"
},
"product_reference": "rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x"
},
"product_reference": "rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64"
},
"product_reference": "rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64"
},
"product_reference": "rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le"
},
"product_reference": "rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le"
},
"product_reference": "rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x"
},
"product_reference": "rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64"
},
"product_reference": "rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64"
},
"product_reference": "rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le"
},
"product_reference": "rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x"
},
"product_reference": "rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64"
},
"product_reference": "rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64"
},
"product_reference": "rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64"
},
"product_reference": "rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64"
},
"product_reference": "rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x"
},
"product_reference": "rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le"
},
"product_reference": "rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le"
},
"product_reference": "rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64"
},
"product_reference": "rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64"
},
"product_reference": "rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
},
"product_reference": "rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-09T14:26:17+00:00",
"details": "To learn more about Submariner, see https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/networking/networking#submariner.",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8691"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
},
{
"cve": "CVE-2025-30204",
"cwe": {
"id": "CWE-405",
"name": "Asymmetric Resource Consumption (Amplification)"
},
"discovery_date": "2025-03-21T22:00:43.818367+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2354195"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang-jwt implementation of JSON Web Tokens (JWT). In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an application crash, leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-30204"
},
{
"category": "external",
"summary": "RHBZ#2354195",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354195"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-30204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30204"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-30204",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30204"
},
{
"category": "external",
"summary": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3",
"url": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3"
},
{
"category": "external",
"summary": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp",
"url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3553",
"url": "https://pkg.go.dev/vuln/GO-2025-3553"
}
],
"release_date": "2025-03-21T21:42:01.382000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-09T14:26:17+00:00",
"details": "To learn more about Submariner, see https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html/networking/networking#submariner.",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8691"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:2a9db14fa216426d95d202069e5760c42c69cf9103b4c5329750fbb6d82c75e9_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:5c4b37026e58b2076c283e7c8a6c0a10f19409d348c7273d7c90f4faaea75724_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:b2961b4eaf51ca49ccb6b116de8a24949f2fb8c7bb4c6be6325f7e92e4241656_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-agent-rhel9@sha256:f551c0c21d76bd9d1bf22a3451baad512ead453464a4a6d56feb7a2c706060e0_amd64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:70746910e44b2eb8b06540fd8f04d47ff7f81fb8d6306cb4320e45d313d20e06_arm64",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:b48943833247d310361a59aa94ae763dee54969d9dff878215ca026775d8a4d4_ppc64le",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:c8c9e3d6b3f958f1ae26bb181d4e148110942d6dfa37fd394871b3e3778ad593_s390x",
"9Base-RHACM-2.13:rhacm2/lighthouse-coredns-rhel9@sha256:d9b9c13df0d49620d7250690e73d4c0c46943c87df518b00241c7f4902a9c6df_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:4f2aee7f7c6b338bd2346a20388b546d7a1aa02e84b7abadc1e926b201ec4d97_ppc64le",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:7093a26d8997cd5b6f56449a957c20b96e815a94373c8497fca824f0c8b4c617_arm64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:727fbd7649db6c907a8a851db64cec1ad325ae10ae182bcf8aa45a306c53778a_amd64",
"9Base-RHACM-2.13:rhacm2/nettest-rhel9@sha256:cb76796c20f623626a910d7e91a3f532e3859374241409413b9d73f78a02cb2c_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:0c6d4c3366a9bb1725dc55c37e96c879472d11962bb805f62ab3cf6bb500248c_arm64",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:7c3174c2e7d0335c677eb2fca423bf2a57d4c97cddce389144c43c8e8ef1e979_s390x",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:8bc8a51cb0b7f91f4927a830c2b3d3ab850e9514c89406ed8c34f5fd8ac0100f_ppc64le",
"9Base-RHACM-2.13:rhacm2/subctl-rhel9@sha256:b6149d811167a0dce536c965ce40b895a4cb1a9f164bc76f6cc3a935ab31a5f0_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:00a32bb72dc29a566ebe4cbc3328732335f7ad07edb192a1862c61f786536225_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:0e1dfe07e4b5723c17ef30fda12401a522ed2eeb8ddd0673c6ea3677c713dbc9_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:464177ebc6dbf5dec0358624c06ae0c878987bdb14773572ae78628ef2d0d850_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-gateway-rhel9@sha256:5c13590dab75fea67e6786df80cb510575087c187690e3f92e0121e3450f5c0e_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:2922980602767d132ad7ff13d104b5ee26330af2b8cb88a00a12fb004192d77d_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:4da2c708f36e002ace1a968269b7cdc7e1d230bc479b9adeb72f1fd01fc47126_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:ac3c412a954d413a94477f6d8fe0b6ed8106be8ad5f18a3d025ed6f2e7c92e39_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-globalnet-rhel9@sha256:aebb9661bf805b95aa917cc367e5f4482009892d6548549e2c93ed6c2fb06781_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:0afb3c827adda79c353e8d1e8c5295f93c866558c6c1f5c6ff0d6e532e103152_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:41c4c4d21e5120d28f2d2738351559d46ed1d99240fc255af04776bfcbe603a8_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:90505e5ffaee7af330306c4e045d3755e0c74d30b9f45e1e7739c205d945872d_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-operator-bundle@sha256:de7336aa000175652a67262207d2a4ffe2b4b07d4f23b74c19bf798bdf3e226b_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:07f04332d6f47e7f396aa1d5876dc93a5eafe1a4c990acf1e16432dbe158c42c_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:14bca152aaa027eeb522a16e067157d35df3f3ccd1aaed2e62e5ec0b5ae7f8e5_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:50dae447651e1752431208c46c50568066fcb6dc8ca3a405d7c0f4f4b8aecfd3_s390x",
"9Base-RHACM-2.13:rhacm2/submariner-rhel9-operator@sha256:f6ac444edb3e2520dd9d8bdd02d6a601799f147e78076b131d0c79fa45a91549_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:39208ace7f2a9bd72696d0b38a7ccaf28631a86aedcbaa8b95f656a2d53b69db_ppc64le",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:442d7f3af7d7c3ca2aa477542435e7bd45b9da42bce3550589248aae69002bb2_arm64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b18f40ee190c707ee3ccd5e476befa13dc7370c5772b6d752ecfd66e6b930500_amd64",
"9Base-RHACM-2.13:rhacm2/submariner-route-agent-rhel9@sha256:b4cb56207415dba58e26dbd0c20ab03bd7d373ed4dbe38afff625c09b0c34045_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing"
}
]
}
RHSA-2025:8737
Vulnerability from csaf_redhat - Published: 2025-06-10 16:52 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: golang security update
Severity
Moderate
Notes
Topic: An update for golang is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The golang packages provide the Go programming language compiler.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-16.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-16.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-16.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-16.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-16.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8737",
"url": "https://access.redhat.com/errata/RHSA-2025:8737"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8737.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:45+00:00",
"generator": {
"date": "2026-05-28T20:49:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8737",
"initial_release_date": "2025-06-10T16:52:37+00:00",
"revision_history": [
{
"date": "2025-06-10T16:52:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-10T16:52:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-16.el9_2.src",
"product": {
"name": "golang-0:1.19.13-16.el9_2.src",
"product_id": "golang-0:1.19.13-16.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-16.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-16.el9_2.aarch64",
"product": {
"name": "golang-0:1.19.13-16.el9_2.aarch64",
"product_id": "golang-0:1.19.13-16.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-16.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-16.el9_2.aarch64",
"product": {
"name": "golang-bin-0:1.19.13-16.el9_2.aarch64",
"product_id": "golang-bin-0:1.19.13-16.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-16.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-16.el9_2.ppc64le",
"product": {
"name": "golang-0:1.19.13-16.el9_2.ppc64le",
"product_id": "golang-0:1.19.13-16.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-16.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-16.el9_2.ppc64le",
"product": {
"name": "golang-bin-0:1.19.13-16.el9_2.ppc64le",
"product_id": "golang-bin-0:1.19.13-16.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-16.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-16.el9_2.x86_64",
"product": {
"name": "golang-0:1.19.13-16.el9_2.x86_64",
"product_id": "golang-0:1.19.13-16.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-16.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-16.el9_2.x86_64",
"product": {
"name": "golang-bin-0:1.19.13-16.el9_2.x86_64",
"product_id": "golang-bin-0:1.19.13-16.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-16.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.19.13-16.el9_2.x86_64",
"product": {
"name": "golang-race-0:1.19.13-16.el9_2.x86_64",
"product_id": "golang-race-0:1.19.13-16.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.19.13-16.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-16.el9_2.s390x",
"product": {
"name": "golang-0:1.19.13-16.el9_2.s390x",
"product_id": "golang-0:1.19.13-16.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-16.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-16.el9_2.s390x",
"product": {
"name": "golang-bin-0:1.19.13-16.el9_2.s390x",
"product_id": "golang-bin-0:1.19.13-16.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-16.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.19.13-16.el9_2.noarch",
"product": {
"name": "golang-docs-0:1.19.13-16.el9_2.noarch",
"product_id": "golang-docs-0:1.19.13-16.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.19.13-16.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.19.13-16.el9_2.noarch",
"product": {
"name": "golang-misc-0:1.19.13-16.el9_2.noarch",
"product_id": "golang-misc-0:1.19.13-16.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.19.13-16.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.19.13-16.el9_2.noarch",
"product": {
"name": "golang-src-0:1.19.13-16.el9_2.noarch",
"product_id": "golang-src-0:1.19.13-16.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.19.13-16.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.19.13-16.el9_2.noarch",
"product": {
"name": "golang-tests-0:1.19.13-16.el9_2.noarch",
"product_id": "golang-tests-0:1.19.13-16.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.19.13-16.el9_2?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-16.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.aarch64"
},
"product_reference": "golang-0:1.19.13-16.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-16.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.ppc64le"
},
"product_reference": "golang-0:1.19.13-16.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-16.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.s390x"
},
"product_reference": "golang-0:1.19.13-16.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-16.el9_2.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.src"
},
"product_reference": "golang-0:1.19.13-16.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-16.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.x86_64"
},
"product_reference": "golang-0:1.19.13-16.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-16.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.aarch64"
},
"product_reference": "golang-bin-0:1.19.13-16.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-16.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.ppc64le"
},
"product_reference": "golang-bin-0:1.19.13-16.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-16.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.s390x"
},
"product_reference": "golang-bin-0:1.19.13-16.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-16.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.x86_64"
},
"product_reference": "golang-bin-0:1.19.13-16.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.19.13-16.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-16.el9_2.noarch"
},
"product_reference": "golang-docs-0:1.19.13-16.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.19.13-16.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-16.el9_2.noarch"
},
"product_reference": "golang-misc-0:1.19.13-16.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.19.13-16.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-16.el9_2.x86_64"
},
"product_reference": "golang-race-0:1.19.13-16.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.19.13-16.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-16.el9_2.noarch"
},
"product_reference": "golang-src-0:1.19.13-16.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.19.13-16.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-16.el9_2.noarch"
},
"product_reference": "golang-tests-0:1.19.13-16.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-16.el9_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-10T16:52:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-16.el9_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8737"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-16.el9_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-16.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-16.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-16.el9_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
RHSA-2025:8915
Vulnerability from csaf_redhat - Published: 2025-06-11 15:46 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: grafana-pcp security update
Severity
Moderate
Notes
Topic: An update for grafana-pcp is now available for Red Hat Enterprise Linux 10.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana-pcp is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8915",
"url": "https://access.redhat.com/errata/RHSA-2025:8915"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8915.json"
}
],
"title": "Red Hat Security Advisory: grafana-pcp security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:46+00:00",
"generator": {
"date": "2026-05-28T20:49:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8915",
"initial_release_date": "2025-06-11T15:46:44+00:00",
"revision_history": [
{
"date": "2025-06-11T15:46:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-11T15:46:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.2.2-3.el10_0.src",
"product": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.src",
"product_id": "grafana-pcp-0:5.2.2-3.el10_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.2.2-3.el10_0?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.2.2-3.el10_0.aarch64",
"product": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.aarch64",
"product_id": "grafana-pcp-0:5.2.2-3.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.2.2-3.el10_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64",
"product": {
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64",
"product_id": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.2.2-3.el10_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64",
"product_id": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.2.2-3.el10_0?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.2.2-3.el10_0.ppc64le",
"product": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.ppc64le",
"product_id": "grafana-pcp-0:5.2.2-3.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.2.2-3.el10_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le",
"product": {
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le",
"product_id": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.2.2-3.el10_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le",
"product": {
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le",
"product_id": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.2.2-3.el10_0?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.2.2-3.el10_0.x86_64",
"product": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.x86_64",
"product_id": "grafana-pcp-0:5.2.2-3.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.2.2-3.el10_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64",
"product": {
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64",
"product_id": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.2.2-3.el10_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64",
"product_id": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.2.2-3.el10_0?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.2.2-3.el10_0.s390x",
"product": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.s390x",
"product_id": "grafana-pcp-0:5.2.2-3.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.2.2-3.el10_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x",
"product": {
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x",
"product_id": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.2.2-3.el10_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x",
"product": {
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x",
"product_id": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.2.2-3.el10_0?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.aarch64"
},
"product_reference": "grafana-pcp-0:5.2.2-3.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.ppc64le"
},
"product_reference": "grafana-pcp-0:5.2.2-3.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.s390x"
},
"product_reference": "grafana-pcp-0:5.2.2-3.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.src"
},
"product_reference": "grafana-pcp-0:5.2.2-3.el10_0.src",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.2.2-3.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.x86_64"
},
"product_reference": "grafana-pcp-0:5.2.2-3.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le"
},
"product_reference": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x"
},
"product_reference": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64"
},
"product_reference": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le"
},
"product_reference": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x"
},
"product_reference": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64"
},
"product_reference": "grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.src",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.x86_64",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-11T15:46:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.src",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.x86_64",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8915"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.src",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.x86_64",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.src",
"AppStream-10.0.Z:grafana-pcp-0:5.2.2-3.el10_0.x86_64",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-debuginfo-0:5.2.2-3.el10_0.x86_64",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.aarch64",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.ppc64le",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.s390x",
"AppStream-10.0.Z:grafana-pcp-debugsource-0:5.2.2-3.el10_0.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
RHSA-2025:8916
Vulnerability from csaf_redhat - Published: 2025-06-11 15:46 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: grafana-pcp security update
Severity
Moderate
Notes
Topic: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8916",
"url": "https://access.redhat.com/errata/RHSA-2025:8916"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8916.json"
}
],
"title": "Red Hat Security Advisory: grafana-pcp security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:46+00:00",
"generator": {
"date": "2026-05-28T20:49:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8916",
"initial_release_date": "2025-06-11T15:46:48+00:00",
"revision_history": [
{
"date": "2025-06-11T15:46:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-11T15:46:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-11.el9_6.src",
"product": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.src",
"product_id": "grafana-pcp-0:5.1.1-11.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-11.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-11.el9_6.aarch64",
"product": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.aarch64",
"product_id": "grafana-pcp-0:5.1.1-11.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-11.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-11.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-11.el9_6?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-11.el9_6.ppc64le",
"product": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.ppc64le",
"product_id": "grafana-pcp-0:5.1.1-11.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-11.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le",
"product_id": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-11.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-11.el9_6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-11.el9_6.x86_64",
"product": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.x86_64",
"product_id": "grafana-pcp-0:5.1.1-11.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-11.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-11.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-11.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-11.el9_6.s390x",
"product": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.s390x",
"product_id": "grafana-pcp-0:5.1.1-11.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-11.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x",
"product_id": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-11.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-11.el9_6?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.aarch64"
},
"product_reference": "grafana-pcp-0:5.1.1-11.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.ppc64le"
},
"product_reference": "grafana-pcp-0:5.1.1-11.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.s390x"
},
"product_reference": "grafana-pcp-0:5.1.1-11.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.src"
},
"product_reference": "grafana-pcp-0:5.1.1-11.el9_6.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-11.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.x86_64"
},
"product_reference": "grafana-pcp-0:5.1.1-11.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-11T15:46:48+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8916"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-11.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-11.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-11.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
RHSA-2025:8918
Vulnerability from csaf_redhat - Published: 2025-06-11 16:05 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: grafana-pcp security update
Severity
Moderate
Notes
Topic: An update for grafana-pcp is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana-pcp is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8918",
"url": "https://access.redhat.com/errata/RHSA-2025:8918"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8918.json"
}
],
"title": "Red Hat Security Advisory: grafana-pcp security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:47+00:00",
"generator": {
"date": "2026-05-28T20:49:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8918",
"initial_release_date": "2025-06-11T16:05:50+00:00",
"revision_history": [
{
"date": "2025-06-11T16:05:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-11T16:05:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-10.el8_10.src",
"product": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.src",
"product_id": "grafana-pcp-0:5.1.1-10.el8_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-10.el8_10?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-10.el8_10.aarch64",
"product": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.aarch64",
"product_id": "grafana-pcp-0:5.1.1-10.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-10.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-10.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-10.el8_10?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-10.el8_10.ppc64le",
"product": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.ppc64le",
"product_id": "grafana-pcp-0:5.1.1-10.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-10.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le",
"product_id": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-10.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-10.el8_10?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-10.el8_10.x86_64",
"product": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.x86_64",
"product_id": "grafana-pcp-0:5.1.1-10.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-10.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-10.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-10.el8_10?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-10.el8_10.s390x",
"product": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.s390x",
"product_id": "grafana-pcp-0:5.1.1-10.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-10.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x",
"product_id": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-10.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-10.el8_10?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.aarch64"
},
"product_reference": "grafana-pcp-0:5.1.1-10.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.ppc64le"
},
"product_reference": "grafana-pcp-0:5.1.1-10.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.s390x"
},
"product_reference": "grafana-pcp-0:5.1.1-10.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.src"
},
"product_reference": "grafana-pcp-0:5.1.1-10.el8_10.src",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-10.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.x86_64"
},
"product_reference": "grafana-pcp-0:5.1.1-10.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-11T16:05:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8918"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-10.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-10.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-10.el8_10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
RHSA-2025:8974
Vulnerability from csaf_redhat - Published: 2025-06-12 05:41 - Updated: 2026-05-28 20:49Summary
Red Hat Security Advisory: go-toolset:rhel8 security update
Severity
Moderate
Notes
Topic: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8974",
"url": "https://access.redhat.com/errata/RHSA-2025:8974"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8974.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-05-28T20:49:47+00:00",
"generator": {
"date": "2026-05-28T20:49:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:8974",
"initial_release_date": "2025-06-12T05:41:22+00:00",
"revision_history": [
{
"date": "2025-06-12T05:41:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-12T05:41:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T20:49:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.8::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src (go-toolset:rhel8)",
"product_id": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.9.1-1.module%2Bel8.8.0%2B16778%2B5fbb74f5?arch=src\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.13-3.module%2Bel8.8.0%2B22903%2B37387f31?arch=src\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src (go-toolset:rhel8)",
"product_id": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=src\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.9.1-1.module%2Bel8.8.0%2B16778%2B5fbb74f5?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.9.1-1.module%2Bel8.8.0%2B16778%2B5fbb74f5?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.9.1-1.module%2Bel8.8.0%2B16778%2B5fbb74f5?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.13-3.module%2Bel8.8.0%2B22903%2B37387f31?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=noarch\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=noarch\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=noarch\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=noarch\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.13-3.module%2Bel8.8.0%2B22903%2B37387f31?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le (go-toolset:rhel8)",
"product_id": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-15.module%2Bel8.8.0%2B23168%2Bf74784bb?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8080020250602234234:6b4b45d8"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-12T05:41:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8974"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.ppc64le::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.E4S:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debuginfo-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:delve-debugsource-0:1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:go-toolset-0:1.19.13-3.module+el8.8.0+22903+37387f31.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.src::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-bin-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-docs-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-misc-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-race-0:1.19.13-15.module+el8.8.0+23168+f74784bb.x86_64::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-src-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8",
"AppStream-8.8.0.Z.TUS:golang-tests-0:1.19.13-15.module+el8.8.0+23168+f74784bb.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…