Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-35255 (GCVE-0-2024-35255)
Vulnerability from cvelistv5
Published
2024-06-11 16:59
Modified
2025-07-16 00:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Summary
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Microsoft | Azure Identity Library for .NET |
Version: 1.0.0 < 1.11.4 |
|||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-14T03:55:56.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure Identity Library for .NET",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.11.4",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Microsoft Authentication Library",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.15.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure Identity Library",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.6.0",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure Identity Library for Java",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.12.2",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure Identity Library for JavaScript",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure Identity Library for C++",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"Unknown"
],
"product": "Azure Identity Library for Python",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.16.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_.net:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.4",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:microsoft_authentication_library_for_java:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.15.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk_for_go:*:*:*:*:*:-:*:*",
"versionEndExcluding": "1.6.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_java:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.12.2",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_javascript:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_c_plus_plus:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.8.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_python:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.16.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-06-11T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T00:42:09.925Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
}
],
"title": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-35255",
"datePublished": "2024-06-11T16:59:47.754Z",
"dateReserved": "2024-05-14T20:14:47.411Z",
"dateUpdated": "2025-07-16T00:42:09.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-35255\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2024-06-11T17:16:03.550\",\"lastModified\":\"2024-11-21T09:20:01.923\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de elevaci\u00f3n de privilegios en las librer\u00edas de identidad de Azure y la librer\u00eda de autenticaci\u00f3n de Microsoft\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:java:*:*\",\"versionEndExcluding\":\"1.15.1\",\"matchCriteriaId\":\"1F13542D-538A-47C1-9BD1-9E0D5CBCE26B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:node.js:*:*\",\"versionEndIncluding\":\"2.9.2\",\"matchCriteriaId\":\"F7C63AFB-7B70-45A6-A9F2-83B413A83951\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:.net:*:*\",\"versionEndExcluding\":\"4.61.3\",\"matchCriteriaId\":\"3C2C72F0-370B-40C9-BE59-003759D8075D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"1.6.0\",\"matchCriteriaId\":\"4747CC36-3E5B-40E3-A955-75044682B9B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:c\\\\+\\\\+:*:*\",\"versionEndExcluding\":\"1.8.0\",\"matchCriteriaId\":\"E994EFF7-09AC-4979-A37B-5030C56F0F70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:.net:*:*\",\"versionEndExcluding\":\"1.11.4\",\"matchCriteriaId\":\"1D1BABF5-442F-4A95-A608-DEF21245930F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:java:*:*\",\"versionEndExcluding\":\"1.12.2\",\"matchCriteriaId\":\"2EDF4F14-5A4B-4EA4-B1DA-6E3779BF4F8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"1.16.1\",\"matchCriteriaId\":\"4D509315-188D-403A-B9DC-1104958834F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:javascript:*:*\",\"versionEndExcluding\":\"4.2.1\",\"matchCriteriaId\":\"9BC2D3A8-759D-4BBC-AA63-45D7A52EF907\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255\", \"name\": \"Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T03:07:46.822Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35255\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-11T18:48:03.183092Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-11T18:48:07.726Z\"}}], \"cna\": {\"title\": \"Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Microsoft\", \"product\": \"Azure Identity Library for .NET\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.11.4\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft Authentication Library\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.15.1\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Azure Identity Library\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.6.0\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Azure Identity Library for Java\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.12.2\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Azure Identity Library for JavaScript\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"4.2.1\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Azure Identity Library for C++\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.8.0\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Azure Identity Library for Python\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.16.1\", \"versionType\": \"custom\"}], \"platforms\": [\"Unknown\"]}], \"datePublic\": \"2024-06-11T07:00:00.000Z\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255\", \"name\": \"Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:microsoft:azure_identity_library_for_.net:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.11.4\", \"versionStartIncluding\": \"1.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:microsoft_authentication_library_for_java:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.15.1\", \"versionStartIncluding\": \"1.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:azure_identity_sdk_for_go:*:*:*:*:*:-:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.6.0\", \"versionStartIncluding\": \"1.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:azure_identity_library_for_java:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.12.2\", \"versionStartIncluding\": \"1.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:azure_identity_library_for_javascript:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.2.1\", \"versionStartIncluding\": \"1.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:azure_identity_library_for_c_plus_plus:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.8.0\", \"versionStartIncluding\": \"1.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:azure_identity_library_for_python:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.16.1\", \"versionStartIncluding\": \"1.0.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2025-07-16T00:42:09.925Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-35255\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-16T00:42:09.925Z\", \"dateReserved\": \"2024-05-14T20:14:47.411Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2024-06-11T16:59:47.754Z\", \"assignerShortName\": \"microsoft\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
wid-sec-w-2024-3344
Vulnerability from csaf_certbund
Published
2024-11-05 23:00
Modified
2024-12-18 23:00
Summary
HCL BigFix WebUI: Mehrere Open Source Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
BigFix ist eine Lösung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebU ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "BigFix ist eine L\u00f6sung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebU ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-3344 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3344.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-3344 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3344"
},
{
"category": "external",
"summary": "HCL BigFix Security Advisory vom 2024-11-05",
"url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=e8e9f77b936dd6100dddf87d1dba103d"
},
{
"category": "external",
"summary": "HCL Security Bulletin vom 2024-12-18",
"url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=1af3c435fb2216d0db10f2797befdc15"
}
],
"source_lang": "en-US",
"title": "HCL BigFix WebUI: Mehrere Open Source Schwachstellen",
"tracking": {
"current_release_date": "2024-12-18T23:00:00.000+00:00",
"generator": {
"date": "2024-12-19T09:12:54.292+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.10"
}
},
"id": "WID-SEC-W-2024-3344",
"initial_release_date": "2024-11-05T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-11-05T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-12-18T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "HCL BigFix",
"product": {
"name": "HCL BigFix",
"product_id": "T036098",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:bigfix:webui"
}
}
},
{
"category": "product_version",
"name": "Server Automation",
"product": {
"name": "HCL BigFix Server Automation",
"product_id": "T039915",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:bigfix:server_automation"
}
}
}
],
"category": "product_name",
"name": "BigFix"
}
],
"category": "vendor",
"name": "HCL"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-26159",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2023-26159"
},
{
"cve": "CVE-2023-45857",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2023-45857"
},
{
"cve": "CVE-2024-21501",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-21501"
},
{
"cve": "CVE-2024-33883",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-33883"
},
{
"cve": "CVE-2024-35255",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-35255"
},
{
"cve": "CVE-2024-38996",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-38996"
},
{
"cve": "CVE-2024-43796",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-43796"
},
{
"cve": "CVE-2024-43799",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-43799"
},
{
"cve": "CVE-2024-43800",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-43800"
},
{
"cve": "CVE-2024-45296",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-45296"
},
{
"cve": "CVE-2024-45590",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-45590"
},
{
"cve": "CVE-2024-8372",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-8372"
},
{
"cve": "CVE-2024-8373",
"notes": [
{
"category": "description",
"text": "In HCL BigFix existieren mehrere Schwachstellen in mehreren Third Party Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und die Integrit\u00e4t zu gef\u00e4hrden."
}
],
"product_status": {
"known_affected": [
"T039915",
"T036098"
]
},
"release_date": "2024-11-05T23:00:00.000+00:00",
"title": "CVE-2024-8373"
}
]
}
wid-sec-w-2024-1339
Vulnerability from csaf_certbund
Published
2024-06-11 22:00
Modified
2025-03-02 23:00
Summary
Microsoft Azure: Mehrere Schwachstellen ermöglichen Privilegieneskalation
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Azure ist eine Cloud Computing-Plattform von Microsoft.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Microsoft Azure ausnutzen, um seine Privilegien zu erhöhen und um einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Azure ist eine Cloud Computing-Plattform von Microsoft.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Microsoft Azure ausnutzen, um seine Privilegien zu erh\u00f6hen und um einen Denial of Service Zustand herbeizuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-1339 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1339.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-1339 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1339"
},
{
"category": "external",
"summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2024-06-11",
"url": "https://msrc.microsoft.com/update-guide"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2024-2630 vom 2024-09-05",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2630.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:3345-1 vom 2024-09-19",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019470.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:7052 vom 2024-09-24",
"url": "https://access.redhat.com/errata/RHSA-2024:7052"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:0750-1 vom 2025-02-28",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/TXAYXA65UPUL23MJ4CX7IBOLRLGVY65Y/"
}
],
"source_lang": "en-US",
"title": "Microsoft Azure: Mehrere Schwachstellen erm\u00f6glichen Privilegieneskalation",
"tracking": {
"current_release_date": "2025-03-02T23:00:00.000+00:00",
"generator": {
"date": "2025-03-03T11:46:25.672+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2024-1339",
"initial_release_date": "2024-06-11T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-06-11T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-09-05T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2024-09-19T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-09-24T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-03-02T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "Data Science Virtual Machines for Linux",
"product": {
"name": "Microsoft Azure Data Science Virtual Machines for Linux",
"product_id": "T035364",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:data_science_virtual_machines_for_linux"
}
}
},
{
"category": "product_version",
"name": "File Sync v16.0",
"product": {
"name": "Microsoft Azure File Sync v16.0",
"product_id": "T035365",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:file_sync_v16.0"
}
}
},
{
"category": "product_version",
"name": "File Sync v17.0",
"product": {
"name": "Microsoft Azure File Sync v17.0",
"product_id": "T035366",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:file_sync_v17.0"
}
}
},
{
"category": "product_version",
"name": "File Sync v18.0",
"product": {
"name": "Microsoft Azure File Sync v18.0",
"product_id": "T035367",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:file_sync_v18.0"
}
}
},
{
"category": "product_version",
"name": "Identity Library for .NET",
"product": {
"name": "Microsoft Azure Identity Library for .NET",
"product_id": "T035368",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:identity_library_for_.net"
}
}
},
{
"category": "product_version",
"name": "Identity Library for C++",
"product": {
"name": "Microsoft Azure Identity Library for C++",
"product_id": "T035370",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:identity_library_for_c"
}
}
},
{
"category": "product_version",
"name": "Identity Library for Go",
"product": {
"name": "Microsoft Azure Identity Library for Go",
"product_id": "T035371",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:identity_library_for_go"
}
}
},
{
"category": "product_version",
"name": "Identity Library for Java",
"product": {
"name": "Microsoft Azure Identity Library for Java",
"product_id": "T035372",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:identity_library_for_java"
}
}
},
{
"category": "product_version",
"name": "Identity Library for JavaScript",
"product": {
"name": "Microsoft Azure Identity Library for JavaScript",
"product_id": "T035373",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:identity_library_for_javascript"
}
}
},
{
"category": "product_version",
"name": "Identity Library for Python",
"product": {
"name": "Microsoft Azure Identity Library for Python",
"product_id": "T035374",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:identity_library_for_python"
}
}
},
{
"category": "product_version",
"name": "Monitor Agent",
"product": {
"name": "Microsoft Azure Monitor Agent",
"product_id": "T035376",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:monitor_agent"
}
}
},
{
"category": "product_version",
"name": "Storage Movement Client Library for .NET",
"product": {
"name": "Microsoft Azure Storage Movement Client Library for .NET",
"product_id": "T035377",
"product_identification_helper": {
"cpe": "cpe:/a:microsoft:azure:storage_movement_client_library_for_.net"
}
}
}
],
"category": "product_name",
"name": "Azure"
}
],
"category": "vendor",
"name": "Microsoft"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35253",
"product_status": {
"known_affected": [
"67646",
"T035364",
"T035374",
"T035373",
"T035372",
"T035368",
"T035367",
"T035366",
"T035377",
"T035365",
"T035376",
"T002207",
"T035371",
"T035370",
"398363"
]
},
"release_date": "2024-06-11T22:00:00.000+00:00",
"title": "CVE-2024-35253"
},
{
"cve": "CVE-2024-35254",
"product_status": {
"known_affected": [
"67646",
"T035364",
"T035374",
"T035373",
"T035372",
"T035368",
"T035367",
"T035366",
"T035377",
"T035365",
"T035376",
"T002207",
"T035371",
"T035370",
"398363"
]
},
"release_date": "2024-06-11T22:00:00.000+00:00",
"title": "CVE-2024-35254"
},
{
"cve": "CVE-2024-35255",
"product_status": {
"known_affected": [
"67646",
"T035364",
"T035374",
"T035373",
"T035372",
"T035368",
"T035367",
"T035366",
"T035377",
"T035365",
"T035376",
"T002207",
"T035371",
"T035370",
"398363"
]
},
"release_date": "2024-06-11T22:00:00.000+00:00",
"title": "CVE-2024-35255"
},
{
"cve": "CVE-2024-35252",
"product_status": {
"known_affected": [
"T002207",
"67646",
"398363",
"T035377"
]
},
"release_date": "2024-06-11T22:00:00.000+00:00",
"title": "CVE-2024-35252"
},
{
"cve": "CVE-2024-37325",
"product_status": {
"known_affected": [
"T002207",
"67646",
"398363",
"T035377"
]
},
"release_date": "2024-06-11T22:00:00.000+00:00",
"title": "CVE-2024-37325"
}
]
}
wid-sec-w-2024-1688
Vulnerability from csaf_certbund
Published
2024-07-22 22:00
Modified
2024-08-22 22:00
Summary
IBM App Connect Enterprise: Mehrere Schwachstelle
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM App Connect Enterprise kombiniert die branchenbewährten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.
Angriff
Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um seine Privilegien zu erhöhen oder einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM App Connect Enterprise kombiniert die branchenbew\u00e4hrten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um seine Privilegien zu erh\u00f6hen oder einen Denial-of-Service-Zustand zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-1688 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1688.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-1688 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1688"
},
{
"category": "external",
"summary": "IBM Security Bulletin vom 2024-07-22",
"url": "https://www.ibm.com/support/pages/node/7160859"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7166462 vom 2024-08-23",
"url": "https://www.ibm.com/support/pages/node/7166462"
}
],
"source_lang": "en-US",
"title": "IBM App Connect Enterprise: Mehrere Schwachstelle",
"tracking": {
"current_release_date": "2024-08-22T22:00:00.000+00:00",
"generator": {
"date": "2024-08-23T10:39:47.601+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.6"
}
},
"id": "WID-SEC-W-2024-1688",
"initial_release_date": "2024-07-22T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-07-22T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-08-22T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM App Connect Enterprise",
"product": {
"name": "IBM App Connect Enterprise",
"product_id": "T032495",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:app_connect_enterprise:-"
}
}
},
{
"category": "product_version_range",
"name": "\u003c12.0.12.4",
"product": {
"name": "IBM App Connect Enterprise \u003c12.0.12.4",
"product_id": "T036393"
}
},
{
"category": "product_version",
"name": "12.0.12.4",
"product": {
"name": "IBM App Connect Enterprise 12.0.12.4",
"product_id": "T036393-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:app_connect_enterprise:12.0.12.4"
}
}
}
],
"category": "product_name",
"name": "App Connect Enterprise"
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35255",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM App Connect Enterprise. Dieser Fehler besteht in den Microsoft Azure Identity Libraries und der Microsoft Authentication Library. Durch das Senden einer speziell gestalteten Anfrage kann ein lokaler Angreifer diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern."
}
],
"product_status": {
"known_affected": [
"T036393",
"T032495"
]
},
"release_date": "2024-07-22T22:00:00.000+00:00",
"title": "CVE-2024-35255"
},
{
"cve": "CVE-2024-37168",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM App Connect Enterprise. Dieser Fehler besteht in der gRPC-Komponente auf Node.js aufgrund einer unsachgem\u00e4\u00dfen Speicherzuweisung mit \u00fcberm\u00e4\u00dfigem Gr\u00f6\u00dfenwert. Durch das Senden speziell gestalteter Meldungen kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen."
}
],
"product_status": {
"known_affected": [
"T036393",
"T032495"
]
},
"release_date": "2024-07-22T22:00:00.000+00:00",
"title": "CVE-2024-37168"
}
]
}
ghsa-m5vv-6r4h-3vj9
Vulnerability from github
Published
2024-06-11 18:30
Modified
2025-07-22 14:51
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
VLAI Severity ?
Summary
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Details
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "azure-identity"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@azure/identity"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.azure:azure-identity"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@azure/msal-node"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Identity.Client"
},
"ranges": [
{
"events": [
{
"introduced": "4.49.1"
},
{
"fixed": "4.60.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.0-beta.4.0.20240610221955-50774cd97099"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.microsoft.azure:msal4j"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.4-beta"
},
{
"fixed": "1.15.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Azure.Identity"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Identity.Client"
},
"ranges": [
{
"events": [
{
"introduced": "4.61.0"
},
{
"fixed": "4.61.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-35255"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-11T19:57:01Z",
"nvd_published_at": "2024-06-11T17:16:03Z",
"severity": "MODERATE"
},
"details": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.",
"id": "GHSA-m5vv-6r4h-3vj9",
"modified": "2025-07-22T14:51:01Z",
"published": "2024-06-11T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255"
},
{
"type": "WEB",
"url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340"
},
{
"type": "WEB",
"url": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499"
},
{
"type": "WEB",
"url": "https://github.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d"
},
{
"type": "WEB",
"url": "https://github.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492"
},
{
"type": "WEB",
"url": "https://github.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53"
},
{
"type": "WEB",
"url": "https://github.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability"
}
opensuse-su-2024:14362-1
Vulnerability from csaf_opensuse
Published
2024-09-23 00:00
Modified
2024-09-23 00:00
Summary
python310-azure-identity-1.18.0-1.1 on GA media
Notes
Title of the patch
python310-azure-identity-1.18.0-1.1 on GA media
Description of the patch
These are all security issues fixed in the python310-azure-identity-1.18.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14362
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python310-azure-identity-1.18.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python310-azure-identity-1.18.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14362",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14362-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14362-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LF7I44FT62DV4NBDQL52SGJRCWLAZRCQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14362-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LF7I44FT62DV4NBDQL52SGJRCWLAZRCQ/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35255 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35255/"
}
],
"title": "python310-azure-identity-1.18.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-09-23T00:00:00Z",
"generator": {
"date": "2024-09-23T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14362-1",
"initial_release_date": "2024-09-23T00:00:00Z",
"revision_history": [
{
"date": "2024-09-23T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python310-azure-identity-1.18.0-1.1.aarch64",
"product": {
"name": "python310-azure-identity-1.18.0-1.1.aarch64",
"product_id": "python310-azure-identity-1.18.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-azure-identity-1.18.0-1.1.aarch64",
"product": {
"name": "python311-azure-identity-1.18.0-1.1.aarch64",
"product_id": "python311-azure-identity-1.18.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-azure-identity-1.18.0-1.1.aarch64",
"product": {
"name": "python312-azure-identity-1.18.0-1.1.aarch64",
"product_id": "python312-azure-identity-1.18.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-azure-identity-1.18.0-1.1.ppc64le",
"product": {
"name": "python310-azure-identity-1.18.0-1.1.ppc64le",
"product_id": "python310-azure-identity-1.18.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-azure-identity-1.18.0-1.1.ppc64le",
"product": {
"name": "python311-azure-identity-1.18.0-1.1.ppc64le",
"product_id": "python311-azure-identity-1.18.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-azure-identity-1.18.0-1.1.ppc64le",
"product": {
"name": "python312-azure-identity-1.18.0-1.1.ppc64le",
"product_id": "python312-azure-identity-1.18.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-azure-identity-1.18.0-1.1.s390x",
"product": {
"name": "python310-azure-identity-1.18.0-1.1.s390x",
"product_id": "python310-azure-identity-1.18.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-azure-identity-1.18.0-1.1.s390x",
"product": {
"name": "python311-azure-identity-1.18.0-1.1.s390x",
"product_id": "python311-azure-identity-1.18.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-azure-identity-1.18.0-1.1.s390x",
"product": {
"name": "python312-azure-identity-1.18.0-1.1.s390x",
"product_id": "python312-azure-identity-1.18.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-azure-identity-1.18.0-1.1.x86_64",
"product": {
"name": "python310-azure-identity-1.18.0-1.1.x86_64",
"product_id": "python310-azure-identity-1.18.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-azure-identity-1.18.0-1.1.x86_64",
"product": {
"name": "python311-azure-identity-1.18.0-1.1.x86_64",
"product_id": "python311-azure-identity-1.18.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-azure-identity-1.18.0-1.1.x86_64",
"product": {
"name": "python312-azure-identity-1.18.0-1.1.x86_64",
"product_id": "python312-azure-identity-1.18.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-azure-identity-1.18.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.aarch64"
},
"product_reference": "python310-azure-identity-1.18.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-azure-identity-1.18.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.ppc64le"
},
"product_reference": "python310-azure-identity-1.18.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-azure-identity-1.18.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.s390x"
},
"product_reference": "python310-azure-identity-1.18.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-azure-identity-1.18.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.x86_64"
},
"product_reference": "python310-azure-identity-1.18.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.18.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.aarch64"
},
"product_reference": "python311-azure-identity-1.18.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.18.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.ppc64le"
},
"product_reference": "python311-azure-identity-1.18.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.18.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.s390x"
},
"product_reference": "python311-azure-identity-1.18.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.18.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.x86_64"
},
"product_reference": "python311-azure-identity-1.18.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-azure-identity-1.18.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.aarch64"
},
"product_reference": "python312-azure-identity-1.18.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-azure-identity-1.18.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.ppc64le"
},
"product_reference": "python312-azure-identity-1.18.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-azure-identity-1.18.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.s390x"
},
"product_reference": "python312-azure-identity-1.18.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-azure-identity-1.18.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.x86_64"
},
"product_reference": "python312-azure-identity-1.18.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35255",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35255"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.x86_64",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.x86_64",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35255",
"url": "https://www.suse.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "SUSE Bug 1230100 for CVE-2024-35255",
"url": "https://bugzilla.suse.com/1230100"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.x86_64",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.x86_64",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python310-azure-identity-1.18.0-1.1.x86_64",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python311-azure-identity-1.18.0-1.1.x86_64",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.s390x",
"openSUSE Tumbleweed:python312-azure-identity-1.18.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-23T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-35255"
}
]
}
opensuse-su-2024:14048-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
teleport-15.4.3-1.1 on GA media
Notes
Title of the patch
teleport-15.4.3-1.1 on GA media
Description of the patch
These are all security issues fixed in the teleport-15.4.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14048
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "teleport-15.4.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the teleport-15.4.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14048",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14048-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35255 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35255/"
}
],
"title": "teleport-15.4.3-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14048-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "teleport-15.4.3-1.1.aarch64",
"product": {
"name": "teleport-15.4.3-1.1.aarch64",
"product_id": "teleport-15.4.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-fdpass-teleport-15.4.3-1.1.aarch64",
"product": {
"name": "teleport-fdpass-teleport-15.4.3-1.1.aarch64",
"product_id": "teleport-fdpass-teleport-15.4.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-15.4.3-1.1.aarch64",
"product": {
"name": "teleport-tbot-15.4.3-1.1.aarch64",
"product_id": "teleport-tbot-15.4.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-15.4.3-1.1.aarch64",
"product": {
"name": "teleport-tctl-15.4.3-1.1.aarch64",
"product_id": "teleport-tctl-15.4.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-15.4.3-1.1.aarch64",
"product": {
"name": "teleport-tsh-15.4.3-1.1.aarch64",
"product_id": "teleport-tsh-15.4.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-15.4.3-1.1.ppc64le",
"product": {
"name": "teleport-15.4.3-1.1.ppc64le",
"product_id": "teleport-15.4.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-fdpass-teleport-15.4.3-1.1.ppc64le",
"product": {
"name": "teleport-fdpass-teleport-15.4.3-1.1.ppc64le",
"product_id": "teleport-fdpass-teleport-15.4.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tbot-15.4.3-1.1.ppc64le",
"product": {
"name": "teleport-tbot-15.4.3-1.1.ppc64le",
"product_id": "teleport-tbot-15.4.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tctl-15.4.3-1.1.ppc64le",
"product": {
"name": "teleport-tctl-15.4.3-1.1.ppc64le",
"product_id": "teleport-tctl-15.4.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tsh-15.4.3-1.1.ppc64le",
"product": {
"name": "teleport-tsh-15.4.3-1.1.ppc64le",
"product_id": "teleport-tsh-15.4.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-15.4.3-1.1.s390x",
"product": {
"name": "teleport-15.4.3-1.1.s390x",
"product_id": "teleport-15.4.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-fdpass-teleport-15.4.3-1.1.s390x",
"product": {
"name": "teleport-fdpass-teleport-15.4.3-1.1.s390x",
"product_id": "teleport-fdpass-teleport-15.4.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tbot-15.4.3-1.1.s390x",
"product": {
"name": "teleport-tbot-15.4.3-1.1.s390x",
"product_id": "teleport-tbot-15.4.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tctl-15.4.3-1.1.s390x",
"product": {
"name": "teleport-tctl-15.4.3-1.1.s390x",
"product_id": "teleport-tctl-15.4.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tsh-15.4.3-1.1.s390x",
"product": {
"name": "teleport-tsh-15.4.3-1.1.s390x",
"product_id": "teleport-tsh-15.4.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-15.4.3-1.1.x86_64",
"product": {
"name": "teleport-15.4.3-1.1.x86_64",
"product_id": "teleport-15.4.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-fdpass-teleport-15.4.3-1.1.x86_64",
"product": {
"name": "teleport-fdpass-teleport-15.4.3-1.1.x86_64",
"product_id": "teleport-fdpass-teleport-15.4.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-15.4.3-1.1.x86_64",
"product": {
"name": "teleport-tbot-15.4.3-1.1.x86_64",
"product_id": "teleport-tbot-15.4.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-15.4.3-1.1.x86_64",
"product": {
"name": "teleport-tctl-15.4.3-1.1.x86_64",
"product_id": "teleport-tctl-15.4.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-15.4.3-1.1.x86_64",
"product": {
"name": "teleport-tsh-15.4.3-1.1.x86_64",
"product_id": "teleport-tsh-15.4.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-15.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-15.4.3-1.1.aarch64"
},
"product_reference": "teleport-15.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-15.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-15.4.3-1.1.ppc64le"
},
"product_reference": "teleport-15.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-15.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-15.4.3-1.1.s390x"
},
"product_reference": "teleport-15.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-15.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-15.4.3-1.1.x86_64"
},
"product_reference": "teleport-15.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-fdpass-teleport-15.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.aarch64"
},
"product_reference": "teleport-fdpass-teleport-15.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-fdpass-teleport-15.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.ppc64le"
},
"product_reference": "teleport-fdpass-teleport-15.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-fdpass-teleport-15.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.s390x"
},
"product_reference": "teleport-fdpass-teleport-15.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-fdpass-teleport-15.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.x86_64"
},
"product_reference": "teleport-fdpass-teleport-15.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-15.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.aarch64"
},
"product_reference": "teleport-tbot-15.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-15.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.ppc64le"
},
"product_reference": "teleport-tbot-15.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-15.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.s390x"
},
"product_reference": "teleport-tbot-15.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-15.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.x86_64"
},
"product_reference": "teleport-tbot-15.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-15.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.aarch64"
},
"product_reference": "teleport-tctl-15.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-15.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.ppc64le"
},
"product_reference": "teleport-tctl-15.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-15.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.s390x"
},
"product_reference": "teleport-tctl-15.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-15.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.x86_64"
},
"product_reference": "teleport-tctl-15.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-15.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.aarch64"
},
"product_reference": "teleport-tsh-15.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-15.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.ppc64le"
},
"product_reference": "teleport-tsh-15.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-15.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.s390x"
},
"product_reference": "teleport-tsh-15.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-15.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.x86_64"
},
"product_reference": "teleport-tsh-15.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35255",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35255"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:teleport-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35255",
"url": "https://www.suse.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "SUSE Bug 1230100 for CVE-2024-35255",
"url": "https://bugzilla.suse.com/1230100"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:teleport-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:teleport-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-fdpass-teleport-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-15.4.3-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-15.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-35255"
}
]
}
ncsc-2024-0249
Vulnerability from csaf_ncscnl
Published
2024-06-11 18:15
Modified
2024-06-11 18:15
Summary
Kwetsbaarheden verholpen in Microsoft Azure
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Microsoft heeft kwetsbaarheden verholpen in Azure producten.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om een Denial-of-Service te veroorzaken, of om zich verhoogde rechten toe te kennen en mogelijk handelingen uit te voeren met beheerdersrechten.
De ernstigste kwetsbaarheid heeft kenmerk CVE-2024-37325 toegewezen gekregen. Deze kwetsbaarheid bevindt zich in de Data Science Virtual Machines met versies kleiner dan 24.05.24 welke draaien op Linux/Ubuntu. Een ongeauthenticeerde kwaadwillende kan de gebruikersgegevens van deze VM's achterhalen en inloggen als het slachtoffer.
```
Azure Storage Library:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35252 | 7.50 | Denial-of-Service |
|----------------|------|-------------------------------------|
Azure Monitor:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35254 | 7.10 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure File Sync:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35253 | 4.40 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure Data Science Virtual Machines:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-37325 | 9.80 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure SDK:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35255 | 5.50 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
```
Oplossingen
Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:
https://portal.msrc.microsoft.com/en-us/security-guidance
Kans
medium
Schade
high
CWE-1104
Use of Unmaintained Third Party Components
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-59
Improper Link Resolution Before File Access ('Link Following')
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Microsoft heeft kwetsbaarheden verholpen in Azure producten.",
"title": "Feiten"
},
{
"category": "description",
"text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om een Denial-of-Service te veroorzaken, of om zich verhoogde rechten toe te kennen en mogelijk handelingen uit te voeren met beheerdersrechten.\n\nDe ernstigste kwetsbaarheid heeft kenmerk CVE-2024-37325 toegewezen gekregen. Deze kwetsbaarheid bevindt zich in de Data Science Virtual Machines met versies kleiner dan 24.05.24 welke draaien op Linux/Ubuntu. Een ongeauthenticeerde kwaadwillende kan de gebruikersgegevens van deze VM\u0027s achterhalen en inloggen als het slachtoffer.\n\n\n```\nAzure Storage Library: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35252 | 7.50 | Denial-of-Service | \n|----------------|------|-------------------------------------|\n\nAzure Monitor: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35254 | 7.10 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure File Sync: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35253 | 4.40 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure Data Science Virtual Machines: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-37325 | 9.80 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure SDK: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35255 | 5.50 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n```",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Use of Unmaintained Third Party Components",
"title": "CWE-1104"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "general",
"text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"title": "CWE-59"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"title": "Kwetsbaarheden verholpen in Microsoft Azure",
"tracking": {
"current_release_date": "2024-06-11T18:15:29.806897Z",
"id": "NCSC-2024-0249",
"initial_release_date": "2024-06-11T18:15:29.806897Z",
"revision_history": [
{
"date": "2024-06-11T18:15:29.806897Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "azure_data_science_virtual_machines",
"product": {
"name": "azure_data_science_virtual_machines",
"product_id": "CSAFPID-1477305",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_data_science_virtual_machines:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_file_sync",
"product": {
"name": "azure_file_sync",
"product_id": "CSAFPID-1477298",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_file_sync:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_file_sync",
"product": {
"name": "azure_file_sync",
"product_id": "CSAFPID-1455778",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_file_sync:16.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_file_sync",
"product": {
"name": "azure_file_sync",
"product_id": "CSAFPID-1455781",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_file_sync:17.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_identity_library_for_.net",
"product": {
"name": "azure_identity_library_for_.net",
"product_id": "CSAFPID-1455908",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_.net:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_identity_library_for_c__",
"product": {
"name": "azure_identity_library_for_c__",
"product_id": "CSAFPID-1477303",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_c__:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_identity_library_for_java",
"product": {
"name": "azure_identity_library_for_java",
"product_id": "CSAFPID-1477301",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_java:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_identity_library_for_javascript",
"product": {
"name": "azure_identity_library_for_javascript",
"product_id": "CSAFPID-1477302",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_javascript:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_identity_library_for_python",
"product": {
"name": "azure_identity_library_for_python",
"product_id": "CSAFPID-1477304",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_python:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_identity_library",
"product": {
"name": "azure_identity_library",
"product_id": "CSAFPID-1477300",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_identity_library:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_monitor",
"product": {
"name": "azure_monitor",
"product_id": "CSAFPID-1454052",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_monitor:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "azure_storage",
"product": {
"name": "azure_storage",
"product_id": "CSAFPID-1477297",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:azure_storage:1.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "microsoft_authentication_library",
"product": {
"name": "microsoft_authentication_library",
"product_id": "CSAFPID-1477299",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:microsoft_authentication_library:1.0.0:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "microsoft"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35252",
"cwe": {
"id": "CWE-1104",
"name": "Use of Unmaintained Third Party Components"
},
"notes": [
{
"category": "other",
"text": "Use of Unmaintained Third Party Components",
"title": "CWE-1104"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1477297"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-35252",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35252.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1477297"
]
}
],
"title": "CVE-2024-35252"
},
{
"cve": "CVE-2024-35253",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"title": "CWE-59"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1455778",
"CSAFPID-1477298",
"CSAFPID-1455781"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-35253",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35253.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N/E:H/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1455778",
"CSAFPID-1477298",
"CSAFPID-1455781"
]
}
],
"title": "CVE-2024-35253"
},
{
"cve": "CVE-2024-35254",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"title": "CWE-59"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1454052"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-35254",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35254.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1454052"
]
}
],
"title": "CVE-2024-35254"
},
{
"cve": "CVE-2024-35255",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "other",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1455908",
"CSAFPID-1477299",
"CSAFPID-1477300",
"CSAFPID-1477301",
"CSAFPID-1477302",
"CSAFPID-1477303",
"CSAFPID-1477304"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-35255",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35255.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1455908",
"CSAFPID-1477299",
"CSAFPID-1477300",
"CSAFPID-1477301",
"CSAFPID-1477302",
"CSAFPID-1477303",
"CSAFPID-1477304"
]
}
],
"title": "CVE-2024-35255"
},
{
"cve": "CVE-2024-37325",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1477305"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-37325",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37325.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1477305"
]
}
],
"title": "CVE-2024-37325"
}
]
}
suse-su-2024:3345-1
Vulnerability from csaf_suse
Published
2024-09-19 15:11
Modified
2024-09-19 15:11
Summary
Security update for python-azure-identity
Notes
Title of the patch
Security update for python-azure-identity
Description of the patch
This update for python-azure-identity fixes the following issues:
- CVE-2024-35255: Fixed an Azure identity libraries elevation of privilege vulnerability. (bsc#1230100)
Patchnames
SUSE-2024-3345,SUSE-SLE-Module-Public-Cloud-15-SP4-2024-3345,SUSE-SLE-Module-Public-Cloud-15-SP5-2024-3345,SUSE-SLE-Module-Public-Cloud-15-SP6-2024-3345,openSUSE-SLE-15.5-2024-3345,openSUSE-SLE-15.6-2024-3345
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-azure-identity",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-azure-identity fixes the following issues:\n\n- CVE-2024-35255: Fixed an Azure identity libraries elevation of privilege vulnerability. (bsc#1230100)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-3345,SUSE-SLE-Module-Public-Cloud-15-SP4-2024-3345,SUSE-SLE-Module-Public-Cloud-15-SP5-2024-3345,SUSE-SLE-Module-Public-Cloud-15-SP6-2024-3345,openSUSE-SLE-15.5-2024-3345,openSUSE-SLE-15.6-2024-3345",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_3345-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:3345-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20243345-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:3345-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2024-September/036978.html"
},
{
"category": "self",
"summary": "SUSE Bug 1230100",
"url": "https://bugzilla.suse.com/1230100"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35255 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35255/"
}
],
"title": "Security update for python-azure-identity",
"tracking": {
"current_release_date": "2024-09-19T15:11:27Z",
"generator": {
"date": "2024-09-19T15:11:27Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:3345-1",
"initial_release_date": "2024-09-19T15:11:27Z",
"revision_history": [
{
"date": "2024-09-19T15:11:27Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"product": {
"name": "python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"product_id": "python311-azure-identity-1.15.0-150400.11.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.15.0-150400.11.6.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-azure-identity-1.15.0-150400.11.6.1.noarch"
},
"product_reference": "python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.15.0-150400.11.6.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:python311-azure-identity-1.15.0-150400.11.6.1.noarch"
},
"product_reference": "python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.15.0-150400.11.6.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6:python311-azure-identity-1.15.0-150400.11.6.1.noarch"
},
"product_reference": "python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.15.0-150400.11.6.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:python311-azure-identity-1.15.0-150400.11.6.1.noarch"
},
"product_reference": "python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-azure-identity-1.15.0-150400.11.6.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python311-azure-identity-1.15.0-150400.11.6.1.noarch"
},
"product_reference": "python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35255",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35255"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"openSUSE Leap 15.5:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"openSUSE Leap 15.6:python311-azure-identity-1.15.0-150400.11.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35255",
"url": "https://www.suse.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "SUSE Bug 1230100 for CVE-2024-35255",
"url": "https://bugzilla.suse.com/1230100"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"openSUSE Leap 15.5:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"openSUSE Leap 15.6:python311-azure-identity-1.15.0-150400.11.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"openSUSE Leap 15.5:python311-azure-identity-1.15.0-150400.11.6.1.noarch",
"openSUSE Leap 15.6:python311-azure-identity-1.15.0-150400.11.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-19T15:11:27Z",
"details": "moderate"
}
],
"title": "CVE-2024-35255"
}
]
}
suse-su-2025:0750-1
Vulnerability from csaf_suse
Published
2025-02-28 16:25
Modified
2025-02-28 16:25
Summary
Security update for python-azure-identity
Notes
Title of the patch
Security update for python-azure-identity
Description of the patch
This update for python-azure-identity fixes the following issues:
- CVE-2024-35255: race condition leading to privilege escalation and unauthorized access to sensitive information
in Azure Identity libraries (bsc#1230100).
Patchnames
SUSE-2025-750,SUSE-SLE-Module-Public-Cloud-15-SP3-2025-750,SUSE-SLE-Module-Public-Cloud-15-SP4-2025-750,SUSE-SLE-Module-Public-Cloud-15-SP5-2025-750,SUSE-SLE-Module-Public-Cloud-15-SP6-2025-750,openSUSE-SLE-15.6-2025-750
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-azure-identity",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-azure-identity fixes the following issues:\n\n- CVE-2024-35255: race condition leading to privilege escalation and unauthorized access to sensitive information\n in Azure Identity libraries (bsc#1230100).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-750,SUSE-SLE-Module-Public-Cloud-15-SP3-2025-750,SUSE-SLE-Module-Public-Cloud-15-SP4-2025-750,SUSE-SLE-Module-Public-Cloud-15-SP5-2025-750,SUSE-SLE-Module-Public-Cloud-15-SP6-2025-750,openSUSE-SLE-15.6-2025-750",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_0750-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:0750-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20250750-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:0750-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-February/020466.html"
},
{
"category": "self",
"summary": "SUSE Bug 1230100",
"url": "https://bugzilla.suse.com/1230100"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35255 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35255/"
}
],
"title": "Security update for python-azure-identity",
"tracking": {
"current_release_date": "2025-02-28T16:25:42Z",
"generator": {
"date": "2025-02-28T16:25:42Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:0750-1",
"initial_release_date": "2025-02-28T16:25:42Z",
"revision_history": [
{
"date": "2025-02-28T16:25:42Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"product": {
"name": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"product_id": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
},
"product_reference": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
},
"product_reference": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
},
"product_reference": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15 SP6:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
},
"product_reference": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
},
"product_reference": "python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35255",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35255"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"openSUSE Leap 15.6:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35255",
"url": "https://www.suse.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "SUSE Bug 1230100 for CVE-2024-35255",
"url": "https://bugzilla.suse.com/1230100"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"openSUSE Leap 15.6:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15 SP6:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch",
"openSUSE Leap 15.6:python3-azure-identity-1.10.0.0-150200.6.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-28T16:25:42Z",
"details": "moderate"
}
],
"title": "CVE-2024-35255"
}
]
}
msrc_cve-2024-35255
Vulnerability from csaf_microsoft
Published
2024-06-11 07:00
Modified
2024-06-13 07:00
Summary
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Customer Action
Required. The vulnerability documented by this CVE requires customer action to resolve.
{
"document": {
"acknowledgments": [
{
"names": [
"Vladimir Abramzon with Microsoft"
]
},
{
"names": [
"Eli Arbel with Microsoft"
]
}
],
"aggregate_severity": {
"namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
},
{
"category": "general",
"text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
"title": "Customer Action"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2024-35255 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - HTML",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
},
{
"category": "self",
"summary": "CVE-2024-35255 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - CSAF",
"url": "https://msrc.microsoft.com/csaf/advisories/2024/msrc_cve-2024-35255.json"
},
{
"category": "external",
"summary": "Microsoft Exploitability Index",
"url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability",
"tracking": {
"current_release_date": "2024-06-13T07:00:00.000Z",
"generator": {
"date": "2025-07-16T00:42:01.213Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2024-35255",
"initial_release_date": "2024-06-11T07:00:00.000Z",
"revision_history": [
{
"date": "2024-06-11T07:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2024-06-11T07:00:00.000Z",
"legacy_version": "2",
"number": "2",
"summary": "In the Security Updates table, removed Microsoft Authentication Library (MSAL) for Python as it is not affected by CVE-2024-35255."
},
{
"date": "2024-06-12T07:00:00.000Z",
"legacy_version": "2.1",
"number": "3",
"summary": "Added an FAQ. This is an information change only."
},
{
"date": "2024-06-13T07:00:00.000Z",
"legacy_version": "2.2",
"number": "4",
"summary": "Corrected Fixed Build Number and Download links in the Security Updates table. This is an informational change only."
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.11.4",
"product": {
"name": "Azure Identity Library for .NET \u003c1.11.4",
"product_id": "9"
}
},
{
"category": "product_version",
"name": "1.11.4",
"product": {
"name": "Azure Identity Library for .NET 1.11.4",
"product_id": "12334"
}
}
],
"category": "product_name",
"name": "Azure Identity Library for .NET"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.15.1",
"product": {
"name": "Microsoft Authentication Library (MSAL) for Java \u003c1.15.1",
"product_id": "6"
}
},
{
"category": "product_version",
"name": "1.15.1",
"product": {
"name": "Microsoft Authentication Library (MSAL) for Java 1.15.1",
"product_id": "12344"
}
}
],
"category": "product_name",
"name": "Microsoft Authentication Library (MSAL) for Java"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.6.0",
"product": {
"name": "Azure Identity Library for Go \u003c1.6.0",
"product_id": "5"
}
},
{
"category": "product_version",
"name": "1.6.0",
"product": {
"name": "Azure Identity Library for Go 1.6.0",
"product_id": "12346"
}
}
],
"category": "product_name",
"name": "Azure Identity Library for Go"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.61.3",
"product": {
"name": "Microsoft Authentication Library (MSAL) for .NET \u003c4.61.3",
"product_id": "8"
}
},
{
"category": "product_version",
"name": "4.61.3",
"product": {
"name": "Microsoft Authentication Library (MSAL) for .NET 4.61.3",
"product_id": "12342"
}
}
],
"category": "product_name",
"name": "Microsoft Authentication Library (MSAL) for .NET"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.9.2",
"product": {
"name": "Microsoft Authentication Library (MSAL) for Node.js \u003c2.9.2",
"product_id": "7"
}
},
{
"category": "product_version",
"name": "2.9.2",
"product": {
"name": "Microsoft Authentication Library (MSAL) for Node.js 2.9.2",
"product_id": "12343"
}
}
],
"category": "product_name",
"name": "Microsoft Authentication Library (MSAL) for Node.js"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.12.2",
"product": {
"name": "Azure Identity Library for Java \u003c1.12.2",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "1.12.2",
"product": {
"name": "Azure Identity Library for Java 1.12.2",
"product_id": "12348"
}
}
],
"category": "product_name",
"name": "Azure Identity Library for Java"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.2.1",
"product": {
"name": "Azure Identity Library for JavaScript \u003c4.2.1",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "4.2.1",
"product": {
"name": "Azure Identity Library for JavaScript 4.2.1",
"product_id": "12349"
}
}
],
"category": "product_name",
"name": "Azure Identity Library for JavaScript"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.8.0",
"product": {
"name": "Azure Identity Library for C++ \u003c1.8.0",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "1.8.0",
"product": {
"name": "Azure Identity Library for C++ 1.8.0",
"product_id": "12347"
}
}
],
"category": "product_name",
"name": "Azure Identity Library for C++"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.16.1",
"product": {
"name": "Azure Identity Library for Python \u003c1.16.1",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "1.16.1",
"product": {
"name": "Azure Identity Library for Python 1.16.1",
"product_id": "12350"
}
}
],
"category": "product_name",
"name": "Azure Identity Library for Python"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35255",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "general",
"text": "Microsoft",
"title": "Assigning CNA"
},
{
"category": "faq",
"text": "An attacker who successfully exploited the vulnerability could elevate privileges and read any file on the file system with SYSTEM access permissions.",
"title": "What privileges could be gained by an attacker who successfully exploited the vulnerability?"
},
{
"category": "faq",
"text": "An attacker who successfully exploits this vulnerability can only obtain read access to the system files by exploiting this vulnerability. The attacker cannot perform write or delete operations on the files.",
"title": "According to the CVSS metric, Integrity and Availability impact is None (I:N/A:N). What does that mean for this vulnerability?"
},
{
"category": "faq",
"text": "The vulnerability exists in the following credential types:\nDefaultAzureCredential, ManagedIdentityCredential",
"title": "Which credential types provided by the Azure Identity client library are affected?"
},
{
"category": "faq",
"text": "The vulnerability exists in the following credential types:\nManagedIdentityApplication (.NET), ManagedIdentityApplication (Java), ManagedIdentityApplication (Node.js)",
"title": "Which credential types provided by the Microsoft Authentication Libraries are affected?"
}
],
"product_status": {
"fixed": [
"12334",
"12342",
"12343",
"12344",
"12346",
"12347",
"12348",
"12349",
"12350"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-35255 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - HTML",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
},
{
"category": "self",
"summary": "CVE-2024-35255 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - CSAF",
"url": "https://msrc.microsoft.com/csaf/advisories/2024/msrc_cve-2024-35255.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "1.11.4:Security Update:https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/CHANGELOG.md",
"product_ids": [
"9"
],
"url": "https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/CHANGELOG.md"
},
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "1.15.1:Security Update:https://github.com/AzureAD/microsoft-authentication-library-for-java",
"product_ids": [
"6"
],
"url": "https://github.com/AzureAD/microsoft-authentication-library-for-java"
},
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "1.6.0:Security Update:https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/CHANGELOG.md",
"product_ids": [
"5"
],
"url": "https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/CHANGELOG.md"
},
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "4.61.3:Security Update:https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/CHANGELOG.md",
"product_ids": [
"8"
],
"url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/CHANGELOG.md"
},
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "2.9.2:Security Update:https://github.com/AzureAD/microsoft-authentication-library-for-js#readme",
"product_ids": [
"7"
],
"url": "https://github.com/AzureAD/microsoft-authentication-library-for-js#readme"
},
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "1.12.2:Security Update:https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/CHANGELOG.md",
"product_ids": [
"3"
],
"url": "https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/CHANGELOG.md"
},
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "4.2.1:Security Update:https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/CHANGELOG.md",
"product_ids": [
"2"
],
"url": "https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/CHANGELOG.md"
},
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "1.8.0:Security Update:https://github.com/Azure/azure-sdk-for-cpp/blob/main/sdk/identity/azure-identity/CHANGELOG.md",
"product_ids": [
"4"
],
"url": "https://github.com/Azure/azure-sdk-for-cpp/blob/main/sdk/identity/azure-identity/CHANGELOG.md"
},
{
"category": "vendor_fix",
"date": "2024-06-11T07:00:00.000Z",
"details": "1.16.1:Security Update:https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/CHANGELOG.md",
"product_ids": [
"1"
],
"url": "https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/CHANGELOG.md"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9"
]
}
],
"threats": [
{
"category": "impact",
"details": "Elevation of Privilege"
},
{
"category": "exploit_status",
"details": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely"
}
],
"title": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability"
}
]
}
rhsa-2025:0536
Vulnerability from csaf_redhat
Published
2025-01-21 16:57
Modified
2025-08-13 11:30
Summary
Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.15.0
Notes
Topic
cert-manager Operator for Red Hat OpenShift 1.15.0
Details
The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide certificates-as-a-service to developers working within your Kubernetes cluster.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cert-manager Operator for Red Hat OpenShift 1.15.0",
"title": "Topic"
},
{
"category": "general",
"text": "The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide certificates-as-a-service to developers working within your Kubernetes cluster.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:0536",
"url": "https://access.redhat.com/errata/RHSA-2025:0536"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html",
"url": "https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-35255",
"url": "https://access.redhat.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-45288",
"url": "https://access.redhat.com/security/cve/CVE-2023-45288"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-24783",
"url": "https://access.redhat.com/security/cve/CVE-2024-24783"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-28180",
"url": "https://access.redhat.com/security/cve/CVE-2024-28180"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-6104",
"url": "https://access.redhat.com/security/cve/CVE-2024-6104"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-45337",
"url": "https://access.redhat.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-45338",
"url": "https://access.redhat.com/security/cve/CVE-2024-45338"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0536.json"
}
],
"title": "Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.15.0",
"tracking": {
"current_release_date": "2025-08-13T11:30:12+00:00",
"generator": {
"date": "2025-08-13T11:30:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:0536",
"initial_release_date": "2025-01-21T16:57:37+00:00",
"revision_history": [
{
"date": "2025-01-21T16:57:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-04-01T11:42:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-13T11:30:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "cert-manager operator for Red Hat OpenShift 1.15",
"product": {
"name": "cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cert_manager:1.15::el9"
}
}
}
],
"category": "product_family",
"name": "cert-manager operator for Red Hat OpenShift"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3Aa1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0?arch=amd64\u0026repository_url=registry.redhat.io/cert-manager"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25?arch=amd64\u0026repository_url=registry.redhat.io/cert-manager"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3A30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e?arch=s390x\u0026repository_url=registry.redhat.io/cert-manager"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173?arch=s390x\u0026repository_url=registry.redhat.io/cert-manager"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3Adf96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8?arch=ppc64le\u0026repository_url=registry.redhat.io/cert-manager"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531?arch=ppc64le\u0026repository_url=registry.redhat.io/cert-manager"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3A68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6?arch=arm64\u0026repository_url=registry.redhat.io/cert-manager"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3Ac1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1?arch=arm64\u0026repository_url=registry.redhat.io/cert-manager"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x as a component of cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le as a component of cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64 as a component of cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64 as a component of cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x as a component of cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64 as a component of cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64 as a component of cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le as a component of cert-manager operator for Red Hat OpenShift 1.15",
"product_id": "cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.15"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Bartek Nowotarski"
],
"organization": "nowotarski.info"
}
],
"cve": "CVE-2023-45288",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-03-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268273"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates the security impact of this vulnerability as Important due to the worst case scenario resulting in a denial of service. It is simple to exploit, could significantly impact availability, and there is not a suitable mitigation for all use cases. Once an attack has ended, the system should return to normal operations on its own.\n\nThis vulnerability only impacts servers which have HTTP/2 enabled. It stems from an imperfect definition of the protocol. As the Go programming language is widely utilized across nearly every major Red Hat offering, a full listing of impacted packages will not be provided. Therefore, the \u201cAffected Packages and Issued Red Hat Security Errata\u201d section contains a simplified list of what offerings need to remediate this vulnerability. Every impacted offering has at least one representative component listed, but potentially not all of them. Rest assured that Red Hat is committed to remediating this vulnerability across our entire portfolio.\n\nMany components are rated as Low impact due to configurations which reduce the attack surface or significantly increase the difficulty of exploitation. A summary of these scenarios are:\n* The container includes a package that provides a vulnerable webserver, but it is not used or running during operation\n* HTTP/2 is disabled by default and is not supported\n* Only a client implementation is provided, which is not vulnerable\n* A vulnerable module (either golang.org/net/http or golang.org/x/net/http2) is included, but disabled\n* Access to a vulnerable server is restricted within the container (loopback only connections)\n* Golang is available in the container but is not used\n\n\nWithin the Red Hat OpenShift Container Platform, the majority of vulnerable components are not externally accessible. This means an attacker must already have access to a container within your environment to exploit this vulnerability. However, the ose-hyperkube (openshift-enterprise-hyperkube) container is externally accessible, so there are less barriers to exploitation. Fixes for this specific container are already available.\n\nWithin Red Hat Ansible Automation Platform, the impacted component is Receptor. The impact has been reduced to Low as the vulnerable code is present, but not utilized. There are three potential exposures within this component:\n* Receptor utilizes QUIC a UDP based protocol which does not run over HTTP/2\n* Receptor utilizes the x/net/ipv4 and ipv6 packages, both of which are not affected",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45288"
},
{
"category": "external",
"summary": "RHBZ#2268273",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268273"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288"
},
{
"category": "external",
"summary": "https://nowotarski.info/http2-continuation-flood/",
"url": "https://nowotarski.info/http2-continuation-flood/"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2687",
"url": "https://pkg.go.dev/vuln/GO-2024-2687"
},
{
"category": "external",
"summary": "https://www.kb.cert.org/vuls/id/421644",
"url": "https://www.kb.cert.org/vuls/id/421644"
}
],
"release_date": "2024-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-01-21T16:57:37+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used when installing the cert-manager Operator for Red Hat OpenShift.\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a new version of the Operator. No further action is required to upgrade. This is the default setting.\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\nSee \u0027https://docs.openshift.com/container- platform/latest/security/cert_manager_operator/index.html\u0027 for additional information.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:0536"
},
{
"category": "workaround",
"details": "In some environments where http/2 support is not required, it may be possible to disable this feature to reduce risk.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS"
},
{
"cve": "CVE-2024-6104",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2024-06-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2294000"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. This issue could expose sensitive authentication information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "go-retryablehttp: url might write sensitive information to log file",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to the successful exploitation of a CWE-532: Insertion of Sensitive Information into Log File vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nLogging configurations are centrally managed and follow secure defaults that avoid recording sensitive information such as passwords, tokens, or keys. Audit logs are periodically reviewed and analyzed to identify anomalous events or improper logging practices, while privileged functions are monitored to ensure sensitive actions are traceable without overexposing data. Integrity verification mechanisms protect the authenticity of log data, helping detect unauthorized modification or injection. These layered controls significantly reduce the likelihood that sensitive data will be exposed through logging and ensure that any deviations are quickly detected and remediated.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-6104"
},
{
"category": "external",
"summary": "RHBZ#2294000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-6104",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6104"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-6104",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6104"
}
],
"release_date": "2024-06-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-01-21T16:57:37+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used when installing the cert-manager Operator for Red Hat OpenShift.\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a new version of the Operator. No further action is required to upgrade. This is the default setting.\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\nSee \u0027https://docs.openshift.com/container- platform/latest/security/cert_manager_operator/index.html\u0027 for additional information.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:0536"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "go-retryablehttp: url might write sensitive information to log file"
},
{
"cve": "CVE-2024-24783",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-03-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268019"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s crypto/x509 standard library package. Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause a Certificate.Verify to panic. This issue affects all crypto/tls clients and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24783"
},
{
"category": "external",
"summary": "RHBZ#2268019",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268019"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24783",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24783"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24783",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24783"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2024/03/08/4",
"url": "http://www.openwall.com/lists/oss-security/2024/03/08/4"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3q2c-pvp5-3cqp",
"url": "https://github.com/advisories/GHSA-3q2c-pvp5-3cqp"
},
{
"category": "external",
"summary": "https://go.dev/cl/569339",
"url": "https://go.dev/cl/569339"
},
{
"category": "external",
"summary": "https://go.dev/issue/65390",
"url": "https://go.dev/issue/65390"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg",
"url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2598",
"url": "https://pkg.go.dev/vuln/GO-2024-2598"
},
{
"category": "external",
"summary": "https://security.netapp.com/advisory/ntap-20240329-0005",
"url": "https://security.netapp.com/advisory/ntap-20240329-0005"
}
],
"release_date": "2024-03-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-01-21T16:57:37+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used when installing the cert-manager Operator for Red Hat OpenShift.\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a new version of the Operator. No further action is required to upgrade. This is the default setting.\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\nSee \u0027https://docs.openshift.com/container- platform/latest/security/cert_manager_operator/index.html\u0027 for additional information.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:0536"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm"
},
{
"cve": "CVE-2024-28180",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2024-03-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268854"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jose due to improper handling of highly compressed data. This issue could allow an attacker to send a JWE containing compressed data that uses large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose-go: improper handling of highly compressed data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-28180"
},
{
"category": "external",
"summary": "RHBZ#2268854",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268854"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-28180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28180"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g"
}
],
"release_date": "2024-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-01-21T16:57:37+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used when installing the cert-manager Operator for Red Hat OpenShift.\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a new version of the Operator. No further action is required to upgrade. This is the default setting.\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\nSee \u0027https://docs.openshift.com/container- platform/latest/security/cert_manager_operator/index.html\u0027 for additional information.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:0536"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jose-go: improper handling of highly compressed data"
},
{
"cve": "CVE-2024-35255",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2024-07-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Microsoft\u0027s Azure Identity Libraries and the Microsoft Authentication Library (MSAL). The flaw arises from a race condition\u2014a scenario where the timing of events leads to unexpected behavior\u2014during concurrent operations on shared resources. This can result in privilege escalation, allowing attackers to gain unauthorized access to sensitive information. The vulnerability affects multiple versions of these libraries across various programming languages, including Java, .NET, Node.js, Python, JavaScript, C++, and Go. Microsoft has addressed this issue by releasing updated versions of the affected libraries. Users are strongly advised to upgrade to these patched versions to mitigate potential security risks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat build of Apache Camel for Spring boot is not affected as 4.4.1 was released containing a fixed version of the Azure Identity Library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "RHBZ#2295081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255"
},
{
"category": "external",
"summary": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499",
"url": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499"
},
{
"category": "external",
"summary": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340",
"url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9",
"url": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9"
},
{
"category": "external",
"summary": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
}
],
"release_date": "2024-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-01-21T16:57:37+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used when installing the cert-manager Operator for Red Hat OpenShift.\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a new version of the Operator. No further action is required to upgrade. This is the default setting.\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\nSee \u0027https://docs.openshift.com/container- platform/latest/security/cert_manager_operator/index.html\u0027 for additional information.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:0536"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity"
},
{
"cve": "CVE-2024-45337",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2024-12-11T19:00:54.247490+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2331720"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is classified as important rather than critical because it does not directly enable unauthorized access but rather introduces a risk of authorization bypass if the application or library misuses the PublicKeyCallback API. The vulnerability relies on incorrect assumptions made by the application when handling the sequence or state of keys provided during SSH authentication. Properly implemented systems that use the Permissions field or avoid relying on external state remain unaffected. Additionally, the vulnerability does not allow direct exploitation to gain control over a system without the presence of insecure logic in the application\u0027s handling of authentication attempts.\n\n\nRed Hat Enterprise Linux(RHEL) 8 \u0026 9 and Red Hat Openshift marked as not affected as it was determined that the problem function `ServerConfig.PublicKeyCallback`, as noted in the CVE-2024-45337 issue, is not called by Podman, Buildah, containers-common, or the gvisor-tap-vsock projects.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "RHBZ#2331720",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331720"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-45337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337"
},
{
"category": "external",
"summary": "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909",
"url": "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909"
},
{
"category": "external",
"summary": "https://go.dev/cl/635315",
"url": "https://go.dev/cl/635315"
},
{
"category": "external",
"summary": "https://go.dev/issue/70779",
"url": "https://go.dev/issue/70779"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ",
"url": "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-3321",
"url": "https://pkg.go.dev/vuln/GO-2024-3321"
}
],
"release_date": "2024-12-11T18:55:58.506000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-01-21T16:57:37+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used when installing the cert-manager Operator for Red Hat OpenShift.\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a new version of the Operator. No further action is required to upgrade. This is the default setting.\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\nSee \u0027https://docs.openshift.com/container- platform/latest/security/cert_manager_operator/index.html\u0027 for additional information.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:0536"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto"
},
{
"cve": "CVE-2024-45338",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-12-18T21:00:59.938173+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2333122"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as an Important severity because an attacker can craft malicious input that causes the parsing functions to process data non-linearly, resulting in significant delays which leads to a denial of service by exhausting system resources.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-45338"
},
{
"category": "external",
"summary": "RHBZ#2333122",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333122"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-45338",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45338"
},
{
"category": "external",
"summary": "https://go.dev/cl/637536",
"url": "https://go.dev/cl/637536"
},
{
"category": "external",
"summary": "https://go.dev/issue/70906",
"url": "https://go.dev/issue/70906"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ",
"url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-3333",
"url": "https://pkg.go.dev/vuln/GO-2024-3333"
}
],
"release_date": "2024-12-18T20:38:22.660000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-01-21T16:57:37+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used when installing the cert-manager Operator for Red Hat OpenShift.\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a new version of the Operator. No further action is required to upgrade. This is the default setting.\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\nSee \u0027https://docs.openshift.com/container- platform/latest/security/cert_manager_operator/index.html\u0027 for additional information.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:0536"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4986a8ad37ed49652058e4acf30233649459f5e3c4b2bad9de5b9a4df6dfa531_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:c1f40166786adbd77027d0dc210e8fcd0320e9f2d3b9a3df6f6ab27a46c8ade1_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e_s390x",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:68286a86b7926a3ec88dc375a59a95716d8d3addea06ee7f88005fcd244b05a6_arm64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1da35635852cc7e5d73bde8bbec209e5b55cfae7c421817a2b4bc7e454900c0_amd64",
"cert-manager operator for Red Hat OpenShift 1.15:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html"
}
]
}
rhsa-2024:7052
Vulnerability from csaf_redhat
Published
2024-09-24 12:51
Modified
2025-08-14 16:12
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Details
An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT transforms in
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT transforms in
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT transforms in
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT transforms in
* CVE-2024-8391 io.vertx/vertx-grpc-server: Vertx gRPC server does not limit the maximum message size
* CVE-2024-8391 io.vertx/vertx-grpc-client: Vertx gRPC server does not limit the maximum message size
* CVE-2024-32007 org.apache.cxf/cxf-rt-rs-security-jose: apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE
* CVE-2024-41172 org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients
* CVE-2024-35255 com.azure/azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.",
"title": "Topic"
},
{
"category": "general",
"text": "An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in \n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT transforms in \n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT transforms in \n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT transforms in \n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT transforms in \n* CVE-2024-8391 io.vertx/vertx-grpc-server: Vertx gRPC server does not limit the maximum message size\n* CVE-2024-8391 io.vertx/vertx-grpc-client: Vertx gRPC server does not limit the maximum message size\n* CVE-2024-32007 org.apache.cxf/cxf-rt-rs-security-jose: apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE\n* CVE-2024-41172 org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients\n* CVE-2024-35255 com.azure/azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:7052",
"url": "https://access.redhat.com/errata/RHSA-2024:7052"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-45294",
"url": "https://access.redhat.com/security/cve/CVE-2024-45294"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-8391",
"url": "https://access.redhat.com/security/cve/CVE-2024-8391"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-32007",
"url": "https://access.redhat.com/security/cve/CVE-2024-32007"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-41172",
"url": "https://access.redhat.com/security/cve/CVE-2024-41172"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-35255",
"url": "https://access.redhat.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "2295081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295081"
},
{
"category": "external",
"summary": "2298828",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298828"
},
{
"category": "external",
"summary": "2298829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829"
},
{
"category": "external",
"summary": "2309758",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309758"
},
{
"category": "external",
"summary": "2310447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310447"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7052.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA)",
"tracking": {
"current_release_date": "2025-08-14T16:12:46+00:00",
"generator": {
"date": "2025-08-14T16:12:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2024:7052",
"initial_release_date": "2024-09-24T12:51:36+00:00",
"revision_history": [
{
"date": "2024-09-24T12:51:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-09-24T12:51:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-14T16:12:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Apache Camel 4 for Quarkus 3",
"product": {
"name": "Red Hat build of Apache Camel 4 for Quarkus 3",
"product_id": "Red Hat build of Apache Camel 4 for Quarkus 3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:camel_quarkus:3.8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-8391",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-09-04T16:20:44.762419+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2309758"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-8391"
},
{
"category": "external",
"summary": "RHBZ#2309758",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309758"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-8391",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8391"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8391"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vertx-grpc/issues/113",
"url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"
}
],
"release_date": "2024-09-04T16:15:09.253000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-09-24T12:51:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7052"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size"
},
{
"cve": "CVE-2024-32007",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-07-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2298828"
}
],
"notes": [
{
"category": "description",
"text": "An improper input validation vulnerability was found in the p2c parameter in the Apache CXF JOSE. This flaw allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The improper input validation vulnerability in the p2c parameter of Apache CXF JOSE is considered a moderate severity issue rather than a important one due to its limited scope and impact. While the flaw allows an attacker to specify a large value for the p2c parameter, leading to potential denial of service (DoS) attacks by causing excessive computational overhead, it does not compromise data integrity, confidentiality, or authentication mechanisms directly. The attack vector primarily affects system availability and exploiting this vulnerability requires the ability to send crafted tokens.\n\nBase EAP (7.4 and 8) and EAP XP (4 and 5) do not ship this affected CXF jaxrs artifact. cxf-rt-rs-security-jose is part of CXF\u0027s JAX-RS, and EAP uses RESTEasy, hence it\u0027s not-affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-32007"
},
{
"category": "external",
"summary": "RHBZ#2298828",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298828"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-32007",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32007"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-32007",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32007"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-6pff-fmh2-4mmf",
"url": "https://github.com/advisories/GHSA-6pff-fmh2-4mmf"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633",
"url": "https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633"
}
],
"release_date": "2024-07-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-09-24T12:51:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7052"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE"
},
{
"cve": "CVE-2024-35255",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2024-07-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Microsoft\u0027s Azure Identity Libraries and the Microsoft Authentication Library (MSAL). The flaw arises from a race condition\u2014a scenario where the timing of events leads to unexpected behavior\u2014during concurrent operations on shared resources. This can result in privilege escalation, allowing attackers to gain unauthorized access to sensitive information. The vulnerability affects multiple versions of these libraries across various programming languages, including Java, .NET, Node.js, Python, JavaScript, C++, and Go. Microsoft has addressed this issue by releasing updated versions of the affected libraries. Users are strongly advised to upgrade to these patched versions to mitigate potential security risks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat build of Apache Camel for Spring boot is not affected as 4.4.1 was released containing a fixed version of the Azure Identity Library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "RHBZ#2295081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255"
},
{
"category": "external",
"summary": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499",
"url": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499"
},
{
"category": "external",
"summary": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340",
"url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9",
"url": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9"
},
{
"category": "external",
"summary": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
}
],
"release_date": "2024-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-09-24T12:51:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7052"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity"
},
{
"cve": "CVE-2024-41172",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2024-07-19T09:20:34+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2298829"
}
],
"notes": [
{
"category": "description",
"text": "A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-41172"
},
{
"category": "external",
"summary": "RHBZ#2298829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-41172",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41172"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-41172",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41172"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-4mgg-fqfq-64hg",
"url": "https://github.com/advisories/GHSA-4mgg-fqfq-64hg"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6",
"url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6"
},
{
"category": "external",
"summary": "https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg",
"url": "https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg"
}
],
"release_date": "2024-07-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-09-24T12:51:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7052"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients"
},
{
"cve": "CVE-2024-45294",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2024-09-06T16:20:11.403869+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2310447"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in HAPI FHIR - HL7 FHIR Core Artifacts. eXtensible Stylesheet Language Transformations (XSLT) transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This issue impacts use cases where org.hl7.fhir.core is being used within a host where external clients can submit XML.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.hl7.fhir.core: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r4b: org.hl7.fhir.r5: org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is of significant severity because it allows for XML External Entity (XXE) injection, which can lead to unauthorized access and leakage of sensitive data from the host system. In environments where external clients are permitted to submit XML files, an attacker could craft a malicious XML containing a DTD (Document Type Definition) that references external entities. When processed, this could result in the unauthorized disclosure of files, environmental variables, or other confidential data from the server, potentially compromising the integrity and confidentiality of the system.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-45294"
},
{
"category": "external",
"summary": "RHBZ#2310447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310447"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-45294",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45294"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45294",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45294"
},
{
"category": "external",
"summary": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23"
},
{
"category": "external",
"summary": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"
}
],
"release_date": "2024-09-06T16:15:03.300000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-09-24T12:51:36+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7052"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.hl7.fhir.core: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r4b: org.hl7.fhir.r5: org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`"
}
]
}
rhba-2024:7523
Vulnerability from csaf_redhat
Published
2024-10-02 15:29
Modified
2025-08-04 10:15
Summary
Red Hat Bug Fix Advisory: Red Hat Developer Hub 1.3.0 release
Notes
Topic
Red Hat Developer Hub 1.3.0 has been released.
Details
Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed,
customizable developer portal based on Backstage.io. RHDH is supported on
OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features
of RHDH include a single pane of glass, a centralized software catalog,
self-service via golden path templates, and Tech Docs. RHDH is extensible by
plugins.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.3.0 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed,\ncustomizable developer portal based on Backstage.io. RHDH is supported on\nOpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features\nof RHDH include a single pane of glass, a centralized software catalog,\nself-service via golden path templates, and Tech Docs. RHDH is extensible by\nplugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2024:7523",
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3"
},
{
"category": "external",
"summary": "RHIDP-3725",
"url": "https://issues.redhat.com/browse/RHIDP-3725"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhba-2024_7523.json"
}
],
"title": "Red Hat Bug Fix Advisory: Red Hat Developer Hub 1.3.0 release",
"tracking": {
"current_release_date": "2025-08-04T10:15:39+00:00",
"generator": {
"date": "2025-08-04T10:15:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHBA-2024:7523",
"initial_release_date": "2024-10-02T15:29:03+00:00",
"revision_history": [
{
"date": "2024-10-02T15:29:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-02T15:29:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-04T10:15:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.3 for RHEL 9",
"product": {
"name": "Red Hat Developer Hub 1.3 for RHEL 9",
"product_id": "9Base-RHDH-1.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.3::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"product": {
"name": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"product_id": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-hub-rhel9\u0026tag=1.3-100"
}
}
},
{
"category": "product_version",
"name": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"product": {
"name": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"product_id": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-operator-bundle\u0026tag=1.3-95"
}
}
},
{
"category": "product_version",
"name": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64",
"product": {
"name": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64",
"product_id": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rhel9-operator\u0026tag=1.3-96"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64 as a component of Red Hat Developer Hub 1.3 for RHEL 9",
"product_id": "9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
},
"product_reference": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"relates_to_product_reference": "9Base-RHDH-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64 as a component of Red Hat Developer Hub 1.3 for RHEL 9",
"product_id": "9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64"
},
"product_reference": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"relates_to_product_reference": "9Base-RHDH-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64 as a component of Red Hat Developer Hub 1.3 for RHEL 9",
"product_id": "9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
},
"product_reference": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64",
"relates_to_product_reference": "9Base-RHDH-1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-24790",
"cwe": {
"id": "CWE-115",
"name": "Misinterpretation of Input"
},
"discovery_date": "2024-06-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2292787"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn\u0027t behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE has been marked as moderate as for our products a network-based attack vector is simply impossible when it comes to golang code,apart from that as per CVE flaw analysis reported by golang, this only affects integrity and confidentiality and has no effect on availability, hence CVSS has been marked as such.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-115: Misinterpretation of Input vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nControls such as input validation and error handling mitigate input misinterpretation risks by enforcing strict validation rules and secure error management. Error handling ensures inputs are validated against predefined formats, preventing malformed data from being misinterpreted. Techniques like strong typing, allow listing, and proper encoding reduce the likelihood of injection attacks and unintended code execution. Input validation also ensures that errors do not expose sensitive system details or cause unpredictable behavior. Secure error handling prevents information leakage through detailed error messages while preserving system stability under malformed input conditions. Together, these controls reduce the attack surface by maintaining consistent input processing and preventing exploitable system states, strengthening the overall security posture.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24790"
},
{
"category": "external",
"summary": "RHBZ#2292787",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292787"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24790"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24790",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24790"
}
],
"release_date": "2024-06-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses"
},
{
"cve": "CVE-2024-24791",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-07-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295310"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Denial of service due to improper 100-continue handling in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "An attacker would need to control a malicious server and induce a client to connect to it, requiring some amount of preparation outside of the attacker\u0027s control. This reduces the severity score of this flaw to Moderate.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by input validation vulnerabilities. Security testing and evaluation standards are implemented within the environment to rigorously test input validation mechanisms during the development lifecycle, while static code analysis identifies potential input validation vulnerabilities by default. Process isolation ensures that processes handling potentially malicious or unvalidated inputs run in isolated environments by separating execution domains for each process. Malicious code protections, such as IPS/IDS and antimalware solutions, help detect and mitigate malicious payloads stemming from input validation vulnerabilities. Finally, robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks further.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24791"
},
{
"category": "external",
"summary": "RHBZ#2295310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24791",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791"
},
{
"category": "external",
"summary": "https://go.dev/cl/591255",
"url": "https://go.dev/cl/591255"
},
{
"category": "external",
"summary": "https://go.dev/issue/67555",
"url": "https://go.dev/issue/67555"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
"url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ"
}
],
"release_date": "2024-07-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Denial of service due to improper 100-continue handling in net/http"
},
{
"cve": "CVE-2024-35255",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2024-07-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Microsoft\u0027s Azure Identity Libraries and the Microsoft Authentication Library (MSAL). The flaw arises from a race condition\u2014a scenario where the timing of events leads to unexpected behavior\u2014during concurrent operations on shared resources. This can result in privilege escalation, allowing attackers to gain unauthorized access to sensitive information. The vulnerability affects multiple versions of these libraries across various programming languages, including Java, .NET, Node.js, Python, JavaScript, C++, and Go. Microsoft has addressed this issue by releasing updated versions of the affected libraries. Users are strongly advised to upgrade to these patched versions to mitigate potential security risks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat build of Apache Camel for Spring boot is not affected as 4.4.1 was released containing a fixed version of the Azure Identity Library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "RHBZ#2295081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255"
},
{
"category": "external",
"summary": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499",
"url": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499"
},
{
"category": "external",
"summary": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340",
"url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9",
"url": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9"
},
{
"category": "external",
"summary": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
}
],
"release_date": "2024-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity"
},
{
"cve": "CVE-2024-37891",
"cwe": {
"id": "CWE-669",
"name": "Incorrect Resource Transfer Between Spheres"
},
"discovery_date": "2024-06-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2292788"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the `Proxy-Authorization` HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "urllib3: proxy-authorization request header is not stripped during cross-origin redirects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": ".egg-info packages, like urllib3-1.24.2-py3.6.egg-info, store only metadata such as package version and dependencies and do not contain any affected codebase.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-37891"
},
{
"category": "external",
"summary": "RHBZ#2292788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292788"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-37891",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"
}
],
"release_date": "2024-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "urllib3: proxy-authorization request header is not stripped during cross-origin redirects"
},
{
"cve": "CVE-2024-39008",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2024-07-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295029"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the fast-loops Node.js package. This flaw allows an attacker to alter the behavior of all objects inheriting from the affected prototype by passing arguments to the objectMergeDeep function crafted with the built-in property: __proto__. This issue can potentially lead to a denial of service, remote code execution, or Cross-site scripting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-loops: prototype pollution via objectMergeDeep",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-39008"
},
{
"category": "external",
"summary": "RHBZ#2295029",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295029"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-39008",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39008"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-39008",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39008"
},
{
"category": "external",
"summary": "https://gist.github.com/mestrtee/f09a507c8d59fbbb7fd40880cd9b87ed",
"url": "https://gist.github.com/mestrtee/f09a507c8d59fbbb7fd40880cd9b87ed"
}
],
"release_date": "2024-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "fast-loops: prototype pollution via objectMergeDeep"
},
{
"cve": "CVE-2024-39249",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2024-07-01T20:20:32+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295035"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-async: Regular expression denial of service while parsing function in autoinject",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-39249"
},
{
"category": "external",
"summary": "RHBZ#2295035",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295035"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-39249",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39249"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-39249",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39249"
},
{
"category": "external",
"summary": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41",
"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41"
},
{
"category": "external",
"summary": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6",
"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6"
},
{
"category": "external",
"summary": "https://github.com/zunak/CVE-2024-39249",
"url": "https://github.com/zunak/CVE-2024-39249"
}
],
"release_date": "2024-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-async: Regular expression denial of service while parsing function in autoinject"
}
]
}
fkie_cve-2024-35255
Vulnerability from fkie_nvd
Published
2024-06-11 17:16
Modified
2024-11-21 09:20
Severity ?
Summary
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:java:*:*",
"matchCriteriaId": "1F13542D-538A-47C1-9BD1-9E0D5CBCE26B",
"versionEndExcluding": "1.15.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F7C63AFB-7B70-45A6-A9F2-83B413A83951",
"versionEndIncluding": "2.9.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:.net:*:*",
"matchCriteriaId": "3C2C72F0-370B-40C9-BE59-003759D8075D",
"versionEndExcluding": "4.61.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:go:*:*",
"matchCriteriaId": "4747CC36-3E5B-40E3-A955-75044682B9B7",
"versionEndExcluding": "1.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:c\\+\\+:*:*",
"matchCriteriaId": "E994EFF7-09AC-4979-A37B-5030C56F0F70",
"versionEndExcluding": "1.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:.net:*:*",
"matchCriteriaId": "1D1BABF5-442F-4A95-A608-DEF21245930F",
"versionEndExcluding": "1.11.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:java:*:*",
"matchCriteriaId": "2EDF4F14-5A4B-4EA4-B1DA-6E3779BF4F8A",
"versionEndExcluding": "1.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:python:*:*",
"matchCriteriaId": "4D509315-188D-403A-B9DC-1104958834F1",
"versionEndExcluding": "1.16.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:javascript:*:*",
"matchCriteriaId": "9BC2D3A8-759D-4BBC-AA63-45D7A52EF907",
"versionEndExcluding": "4.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability"
},
{
"lang": "es",
"value": "Vulnerabilidad de elevaci\u00f3n de privilegios en las librer\u00edas de identidad de Azure y la librer\u00eda de autenticaci\u00f3n de Microsoft"
}
],
"id": "CVE-2024-35255",
"lastModified": "2024-11-21T09:20:01.923",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "secure@microsoft.com",
"type": "Primary"
}
]
},
"published": "2024-06-11T17:16:03.550",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "secure@microsoft.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…