csaf_redhat - rhsa-2025:3501

rhsa-2025:3501

Vulnerability from csaf_redhat

Published

2025-04-01 20:50

Modified

2025-08-14 09:11

Summary

Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.15.1-4 Update

Notes

Topic

Custom Metrics Autoscaler Operator for Red Hat OpenShift updates. The following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available: * custom-metrics-autoscaler-adapter-container * custom-metrics-autoscaler-admission-webhooks-container * custom-metrics-autoscaler-container * custom-metrics-autoscaler-operator-bundle-container * custom-metrics-autoscaler-operator-container

Details

The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics. This release is based upon KEDA 2.15.1

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Custom Metrics Autoscaler Operator for Red Hat OpenShift updates.\nThe following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available:\n* custom-metrics-autoscaler-adapter-container * custom-metrics-autoscaler-admission-webhooks-container * custom-metrics-autoscaler-container * custom-metrics-autoscaler-operator-bundle-container * custom-metrics-autoscaler-operator-container",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics.\nThis release is based upon KEDA 2.15.1",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:3501",
        "url": "https://access.redhat.com/errata/RHSA-2025:3501"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-22868",
        "url": "https://access.redhat.com/security/cve/CVE-2025-22868"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-34156",
        "url": "https://access.redhat.com/security/cve/CVE-2024-34156"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-27144",
        "url": "https://access.redhat.com/security/cve/CVE-2025-27144"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3501.json"
      }
    ],
    "title": "Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.15.1-4 Update",
    "tracking": {
      "current_release_date": "2025-08-14T09:11:36+00:00",
      "generator": {
        "date": "2025-08-14T09:11:36+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.6"
        }
      },
      "id": "RHSA-2025:3501",
      "initial_release_date": "2025-04-01T20:50:35+00:00",
      "revision_history": [
        {
          "date": "2025-04-01T20:50:35+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-04-02T11:00:35+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-08-14T09:11:36+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
                "product": {
                  "name": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
                  "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.15::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Custom Metric Autoscaler operator for Red Hat Openshift"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-rhel9-operator@sha256%3Af29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742297344"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-operator-bundle@sha256%3A8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742311148"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-adapter-rhel9@sha256%3Ac1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742296189"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-rhel9@sha256%3Acc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742296747"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256%3A4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742297180"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-rhel9-operator@sha256%3A9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c?arch=arm64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742297344"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-adapter-rhel9@sha256%3A54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd?arch=arm64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742296189"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-rhel9@sha256%3Aa5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303?arch=arm64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742296747"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
                "product": {
                  "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
                  "product_id": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256%3Aca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9?arch=arm64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler\u0026tag=2.15.1-1742297180"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64 as a component of Custom Metric Autoscaler operator for Red Hat Openshift 2.15",
          "product_id": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
        },
        "product_reference": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64",
        "relates_to_product_reference": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-34156",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2024-09-06T21:20:09.377905+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2310528"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability in Go\u0027s `encoding/gob` package is of high severity because it exposes applications to potential Denial of Service (DoS) attacks through stack exhaustion. Since `gob` relies on recursive function calls to decode nested structures, an attacker could exploit this by sending crafted messages with excessively deep nesting, causing the application to panic due to stack overflow. This risk is particularly important in scenarios where untrusted or external input is processed, as it can lead to system unavailability or crashes, undermining the reliability and availability of services.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
        ],
        "known_not_affected": [
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-34156"
        },
        {
          "category": "external",
          "summary": "RHBZ#2310528",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310528"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-34156",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-34156"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-34156",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34156"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/611239",
          "url": "https://go.dev/cl/611239"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/69139",
          "url": "https://go.dev/issue/69139"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk",
          "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2024-3106",
          "url": "https://pkg.go.dev/vuln/GO-2024-3106"
        }
      ],
      "release_date": "2024-09-06T21:15:12.020000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-04-01T20:50:35+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3501"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "jub0bs"
          ]
        }
      ],
      "cve": "CVE-2025-22868",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "discovery_date": "2025-02-26T04:00:44.350024+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2348366"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
        ],
        "known_not_affected": [
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "RHBZ#2348366",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/652155",
          "url": "https://go.dev/cl/652155"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/71490",
          "url": "https://go.dev/issue/71490"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3488",
          "url": "https://pkg.go.dev/vuln/GO-2025-3488"
        }
      ],
      "release_date": "2025-02-26T03:07:49.012000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-04-01T20:50:35+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3501"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
    },
    {
      "cve": "CVE-2025-27144",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-02-24T23:00:42.448432+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2347423"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in GO-JOSE. In affected versions, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code uses strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. This issue could be exploied by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-jose: Go JOSE\u0027s Parsing Vulnerable to Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-770: Allocation of Resources Without Limits or Throttling vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform enforces hardening guidelines to apply the most restrictive settings required for operations, while baseline configurations maintain secure system and software states. A defense-in-depth monitoring strategy includes perimeter firewalls and endpoint protection services that detect excessive resource usage caused by malicious activity or system misconfigurations. In the event of exploitation, process isolation ensures workloads operate in separate environments, preventing any single process from overconsuming CPU or memory and degrading system performance.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
        ],
        "known_not_affected": [
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
          "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-27144"
        },
        {
          "category": "external",
          "summary": "RHBZ#2347423",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347423"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-27144",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-27144"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27144",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27144"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22",
          "url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5",
          "url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"
        }
      ],
      "release_date": "2025-02-24T22:22:22.863000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-04-01T20:50:35+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3501"
        },
        {
          "category": "workaround",
          "details": "As a workaround, applications can pre-validate that payloads being passed to Go JOSE do not contain an excessive number of `.` characters.",
          "product_ids": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:54bea2715a756906158c46c522b1b25fc91389a4f8834ed7abc8ec8e74742edd_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9@sha256:c1157f466293e87e51162599e1d69c489eaf9699dbfba334760b9927eabdd475_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:4b65d73b1479d35ceb8caba98e2dc58cb13d3d8f3545ec8bb8799439dfca4ee3_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9@sha256:ca9c73d5adf71ba2aba7b47d63f038364860f0fb5becf39eb87bf2f261eef7b9_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:8b9ebfcc795ea83fa038daa9471b45bb8527d4fc705a95f8121703fd063c6b79_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:9f583938da2d79ea0ab8a49d0d4b936fc48754d0048e04a7caad78ab886c2c4c_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator@sha256:f29faa109ea2a8c418e5a3c6cb2069805037232872122db46e7c0a2033e9ec9e_amd64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303_arm64",
            "Custom Metric Autoscaler operator for Red Hat Openshift 2.15:registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9@sha256:cc1abd24fce82a1fb24ba726e25f1763ac2a497d5bf2e3352210fa65d133a514_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "go-jose: Go JOSE\u0027s Parsing Vulnerable to Denial of Service"
    }
  ]
}

CVE-2024-34156 (GCVE-0-2024-34156)

Vulnerability from cvelistv5

Published

2024-09-06 20:42

Modified

2024-09-26 15:03

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-674: Uncontrolled Recursion

Summary

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

References

►

URL

Tags

	https://go.dev/cl/611239
	https://go.dev/issue/69139
	https://groups.google.com/g/golang-dev/c/S9POB9NCTdk
	https://pkg.go.dev/vuln/GO-2024-3106

Impacted products

	Vendor	Product	Version
	Go standard library	encoding/gob	Version: 0 ≤ Version: 1.23.0-0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:go_standard_library:encoding\\/gob:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "encoding\\/gob",
            "vendor": "go_standard_library",
            "versions": [
              {
                "lessThan": "1.22.7",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              },
              {
                "lessThan": "1.23.1",
                "status": "affected",
                "version": "1.23.0-0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-34156",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-09T14:04:16.338747Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-09T14:29:46.867Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-26T15:03:08.203Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20240926-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "encoding/gob",
          "product": "encoding/gob",
          "programRoutines": [
            {
              "name": "Decoder.decIgnoreOpFor"
            },
            {
              "name": "Decoder.Decode"
            },
            {
              "name": "Decoder.DecodeValue"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.22.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.23.1",
              "status": "affected",
              "version": "1.23.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-06T20:42:42.661Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/611239"
        },
        {
          "url": "https://go.dev/issue/69139"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2024-3106"
        }
      ],
      "title": "Stack exhaustion in Decoder.Decode in encoding/gob"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2024-34156",
    "datePublished": "2024-09-06T20:42:42.661Z",
    "dateReserved": "2024-05-01T18:45:34.846Z",
    "dateUpdated": "2024-09-26T15:03:08.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27144 (GCVE-0-2025-27144)

Vulnerability from cvelistv5

Published

2025-02-24 22:22

Modified

2025-02-25 14:27

Severity ?

6.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

References

►

URL

Tags

	https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78	x_refsource_CONFIRM
	https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22	x_refsource_MISC
	https://github.com/go-jose/go-jose/releases/tag/v4.0.5	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	go-jose	go-jose	Version: >= 4.0.0, < 4.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27144",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T14:26:42.682392Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T14:27:04.978Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-24T22:22:22.863Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"
        },
        {
          "name": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"
        },
        {
          "name": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"
        }
      ],
      "source": {
        "advisory": "GHSA-c6gw-w398-hv78",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE\u0027s Parsing Vulnerable to Denial of Service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27144",
    "datePublished": "2025-02-24T22:22:22.863Z",
    "dateReserved": "2025-02-19T16:30:47.777Z",
    "dateUpdated": "2025-02-25T14:27:04.978Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22868 (GCVE-0-2025-22868)

Vulnerability from cvelistv5

Published

2025-02-26 03:07

Modified

2025-02-26 14:46

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1286: Improper Validation of Syntactic Correctness of Input

Summary

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

References

►

URL

Tags

	https://go.dev/cl/652155
	https://go.dev/issue/71490
	https://pkg.go.dev/vuln/GO-2025-3488

Impacted products

	Vendor	Product	Version
	golang.org/x/oauth2	golang.org/x/oauth2/jws	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22868",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T14:45:27.246610Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1286",
                "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-26T14:46:20.671Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/oauth2/jws",
          "product": "golang.org/x/oauth2/jws",
          "programRoutines": [
            {
              "name": "Verify"
            }
          ],
          "vendor": "golang.org/x/oauth2",
          "versions": [
            {
              "lessThan": "0.27.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jub0bs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-26T03:07:49.012Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/652155"
        },
        {
          "url": "https://go.dev/issue/71490"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3488"
        }
      ],
      "title": "Unexpected memory consumption during token parsing in golang.org/x/oauth2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-22868",
    "datePublished": "2025-02-26T03:07:49.012Z",
    "dateReserved": "2025-01-08T19:11:42.834Z",
    "dateUpdated": "2025-02-26T14:46:20.671Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2025:3501

Vulnerability from csaf_redhat

CVE-2024-34156 (GCVE-0-2024-34156)

Vulnerability from cvelistv5

CVE-2025-27144 (GCVE-0-2025-27144)

Vulnerability from cvelistv5

CVE-2025-22868 (GCVE-0-2025-22868)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature