rhsa-2025:9167
Vulnerability from csaf_redhat
Published
2025-06-17 09:27
Modified
2025-08-15 03:17
Summary
Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.6.0 release
Notes
Topic
Red Hat build of OpenTelemetry 3.6.0 has been released
Details
Breaking changes:
* Nothing
Deprecations:
* Nothing
Technology Preview features:
* Cumulative-to-Delta Processor
Enhancements:
* The following Technology Preview features reach General Availability:
* Kafka Exporter
* Attributes Processor
* Resource Processor
* Prometheus Receiver
* With this update, the OpenTelemetry Collector can read TLS certificates in the `tss2` format according to the TPM Software Stack specification (TSS) 2.0 of the Trusted Platform Module (TPM) 2.0 Library by the Trusted Computing Group (TCG).
* With this update, the Red Hat build of OpenTelemetry Operator automatically upgrades all OpenTelemetryCollector custom resources during its startup. The Operator reconciles all managed instances during its startup. If there is an error, the Operator retries the upgrade at exponential backoff. If an upgrade fails, the Operator will retry the upgrade again when it restarts.
Bug fixes:
* Nothing
Known issues:
There is currently a known issue with the following exporters:
* AWS CloudWatch Logs Exporter
* AWS EMF Exporter
* AWS X-Ray Exporter
This known issue affects deployments that use the optional endpoint field of the exporter configuration in the Collector custom resource. Not specifying the protocol, such as https://, as part of the endpoint value results in the unsupported protocol scheme error. Workaround: Include the protocol, such as https://, as part of the endpoint value.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat build of OpenTelemetry 3.6.0 has been released",
"title": "Topic"
},
{
"category": "general",
"text": "\nBreaking changes:\n* Nothing\n\nDeprecations:\n* Nothing\n\nTechnology Preview features:\n\n* Cumulative-to-Delta Processor\nEnhancements:\n* The following Technology Preview features reach General Availability:\n\n * Kafka Exporter\n\n * Attributes Processor\n\n * Resource Processor\n\n * Prometheus Receiver\n\n* With this update, the OpenTelemetry Collector can read TLS certificates in the `tss2` format according to the TPM Software Stack specification (TSS) 2.0 of the Trusted Platform Module (TPM) 2.0 Library by the Trusted Computing Group (TCG).\n* With this update, the Red Hat build of OpenTelemetry Operator automatically upgrades all OpenTelemetryCollector custom resources during its startup. The Operator reconciles all managed instances during its startup. If there is an error, the Operator retries the upgrade at exponential backoff. If an upgrade fails, the Operator will retry the upgrade again when it restarts.\nBug fixes:\n* Nothing\nKnown issues:\n There is currently a known issue with the following exporters:\n\n * AWS CloudWatch Logs Exporter\n * AWS EMF Exporter\n * AWS X-Ray Exporter\n\n This known issue affects deployments that use the optional endpoint field of the exporter configuration in the Collector custom resource. Not specifying the protocol, such as https://, as part of the endpoint value results in the unsupported protocol scheme error. Workaround: Include the protocol, such as https://, as part of the endpoint value.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:9167",
"url": "https://access.redhat.com/errata/RHSA-2025:9167"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-22868",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-27144",
"url": "https://access.redhat.com/security/cve/CVE-2025-27144"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-29786",
"url": "https://access.redhat.com/security/cve/CVE-2025-29786"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-30204",
"url": "https://access.redhat.com/security/cve/CVE-2025-30204"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_9167.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.6.0 release",
"tracking": {
"current_release_date": "2025-08-15T03:17:26+00:00",
"generator": {
"date": "2025-08-15T03:17:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:9167",
"initial_release_date": "2025-06-17T09:27:34+00:00",
"revision_history": [
{
"date": "2025-06-17T09:27:34+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-17T09:27:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-15T03:17:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift distributed tracing 3.6.1",
"product": {
"name": "Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift distributed tracing"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-operator-bundle@sha256%3Af08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749571054"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel8@sha256%3A5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749567716"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel8-operator@sha256%3Ac105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749565051"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel8@sha256%3A2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749565136"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel8@sha256%3A3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749567716"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel8-operator@sha256%3A0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749565051"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel8@sha256%3Ac02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749565136"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel8@sha256%3Aed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749567716"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel8-operator@sha256%3Aec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749565051"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel8@sha256%3A41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749565136"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel8@sha256%3Ab4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749567716"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel8-operator@sha256%3Af765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749565051"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel8@sha256%3Ac397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt\u0026tag=rhosdt-3.6-1749565136"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64 as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64 as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64 as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64 as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64 as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64 as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64 as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x as a component of Red Hat OpenShift distributed tracing 3.6.1",
"product_id": "Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.6.1"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-17T09:27:34+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:9167"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-27144",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-24T23:00:42.448432+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2347423"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in GO-JOSE. In affected versions, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code uses strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. This issue could be exploied by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "go-jose: Go JOSE\u0027s Parsing Vulnerable to Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-770: Allocation of Resources Without Limits or Throttling vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform enforces hardening guidelines to apply the most restrictive settings required for operations, while baseline configurations maintain secure system and software states. A defense-in-depth monitoring strategy includes perimeter firewalls and endpoint protection services that detect excessive resource usage caused by malicious activity or system misconfigurations. In the event of exploitation, process isolation ensures workloads operate in separate environments, preventing any single process from overconsuming CPU or memory and degrading system performance.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-27144"
},
{
"category": "external",
"summary": "RHBZ#2347423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347423"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-27144",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27144"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27144",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27144"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22",
"url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5",
"url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"
}
],
"release_date": "2025-02-24T22:22:22.863000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-17T09:27:34+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:9167"
},
{
"category": "workaround",
"details": "As a workaround, applications can pre-validate that payloads being passed to Go JOSE do not contain an excessive number of `.` characters.",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "go-jose: Go JOSE\u0027s Parsing Vulnerable to Denial of Service"
},
{
"cve": "CVE-2025-29786",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-03-17T14:00:59.078419+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2352914"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Expr. This vulnerability allows excessive memory usage and potential out-of-memory (OOM) crashes via unbounded input strings, where a malicious or inadvertent large expression can cause the parser to construct an extremely large Abstract Syntax Tree (AST), consuming excessive memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-29786"
},
{
"category": "external",
"summary": "RHBZ#2352914",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2352914"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-29786",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29786"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-29786",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29786"
},
{
"category": "external",
"summary": "https://github.com/expr-lang/expr/pull/762",
"url": "https://github.com/expr-lang/expr/pull/762"
},
{
"category": "external",
"summary": "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2",
"url": "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2"
}
],
"release_date": "2025-03-17T13:15:32.836000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-17T09:27:34+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:9167"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, it is recommended to impose an input size restriction before parsing (i.e. validating or limiting the length of expression strings that the application will accept). Ensuring no unbounded-length expressions are fed into the parser will prevent the parser from constructing a very large AST and avoid the potential memory exhaustion issue.",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input"
},
{
"cve": "CVE-2025-30204",
"cwe": {
"id": "CWE-405",
"name": "Asymmetric Resource Consumption (Amplification)"
},
"discovery_date": "2025-03-21T22:00:43.818367+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2354195"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang-jwt implementation of JSON Web Tokens (JWT). In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an application crash, leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-30204"
},
{
"category": "external",
"summary": "RHBZ#2354195",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354195"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-30204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30204"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-30204",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30204"
},
{
"category": "external",
"summary": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3",
"url": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3"
},
{
"category": "external",
"summary": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp",
"url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3553",
"url": "https://pkg.go.dev/vuln/GO-2025-3553"
}
],
"release_date": "2025-03-21T21:42:01.382000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-17T09:27:34+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:9167"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:3a4f2fdde35600a6e0a7f947ee2b0f8a75701198b129a39aecce2d1f047181b7_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:5e0a98e281698282f6dba8942fbc992cdeb0da30c0f465f39b5c28e86bd7b39a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:b4ffed36d8f0d575ca959b76e4a22f4197349e277af1586058c18c013feabe28_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:ed84b0251ae531c31b2c5930f8ba59a64aeda8d96df04accefbeab0899640dee_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:f08e30a5035f1c1bb79d62bc3db9ab19b9b8652c32b8c365e92ceab8abd01090_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:0230ba6094579249356713d21de1f454b7c23a16426661328b978869db9c2e53_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:c105cc315f0cac6c42fb3434f6e3c87e58e0dfb25f36ea6fb19016acbf888b86_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ec808ab1424252f10adb295e8f886ded407aee865017c94ce34723e399b4c335_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:f765a4a9eb745a42721e03609ff3de66fb88cb217b3bf4977a56668e175e4484_s390x",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:2cf4f832dc46517c844b147c118dbc78fd2c17cda5726fe8c27757c601abaa2a_amd64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:41d362f767f672bf714049e554014c2cb050b2813388a5ceb6c17f31254b2b71_ppc64le",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c02bbc2dc27a51bf98da4b0d1d3974ed0428d498eb78bddb9f8d3392e8faa1ea_arm64",
"Red Hat OpenShift distributed tracing 3.6.1:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:c397ea8f4c20470a1af7003f93c3c1da9d8b0d4da7313e0f4ad91c4dfa8a9d12_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…