Vulnerability-Lookup

CVE-2022-1996 (GCVE-0-2022-1996)

Vulnerability from cvelistv5 – Published: 2022-06-06 00:00 – Updated: 2024-08-03 00:24

Title

Authorization Bypass Through User-Controlled Key in emicklei/go-restful

Summary

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.

Severity

9.3 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

@huntrdev

References

11 references

URL	Tags
https://huntr.dev/bounties/be837427-415c-4d8c-808…
https://github.com/emicklei/go-restful/commit/fd3…
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://security.netapp.com/advisory/ntap-2022092…
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
emicklei	emicklei/go-restful	Affected: unspecified , < v3.8.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:24:43.677Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
          },
          {
            "name": "FEDORA-2022-185697ef56",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/"
          },
          {
            "name": "FEDORA-2022-589a0ad690",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/"
          },
          {
            "name": "FEDORA-2022-fae3ecee19",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"
          },
          {
            "name": "FEDORA-2022-ba365d3703",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/"
          },
          {
            "name": "FEDORA-2022-30c5ed5625",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220923-0005/"
          },
          {
            "name": "FEDORA-2023-6550d9323b",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/"
          },
          {
            "name": "FEDORA-2023-4e2068ba5d",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/"
          },
          {
            "name": "FEDORA-2023-c9b2182a4e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "emicklei/go-restful",
          "vendor": "emicklei",
          "versions": [
            {
              "lessThan": "v3.8.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-23T00:00:00.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
        },
        {
          "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
        },
        {
          "name": "FEDORA-2022-185697ef56",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/"
        },
        {
          "name": "FEDORA-2022-589a0ad690",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/"
        },
        {
          "name": "FEDORA-2022-fae3ecee19",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"
        },
        {
          "name": "FEDORA-2022-ba365d3703",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/"
        },
        {
          "name": "FEDORA-2022-30c5ed5625",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220923-0005/"
        },
        {
          "name": "FEDORA-2023-6550d9323b",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/"
        },
        {
          "name": "FEDORA-2023-4e2068ba5d",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/"
        },
        {
          "name": "FEDORA-2023-c9b2182a4e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/"
        }
      ],
      "source": {
        "advisory": "be837427-415c-4d8c-808b-62ce20aa84f1",
        "discovery": "EXTERNAL"
      },
      "title": "Authorization Bypass Through User-Controlled Key in emicklei/go-restful"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-1996",
    "datePublished": "2022-06-06T00:00:00.000Z",
    "dateReserved": "2022-06-06T00:00:00.000Z",
    "dateUpdated": "2024-08-03T00:24:43.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-1996",
      "date": "2026-05-27",
      "epss": "0.00963",
      "percentile": "0.76777"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:go-restful_project:go-restful:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.16.0\", \"matchCriteriaId\": \"23CD29C7-E4EC-47EF-8D44-4976CC43789C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:go-restful_project:go-restful:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"versionEndExcluding\": \"3.8.0\", \"matchCriteriaId\": \"9244D03B-7D8E-4215-9BBC-0E78B70C4EEC\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.\"}, {\"lang\": \"es\", \"value\": \"Una Omisi\\u00f3n de la Autorizaci\\u00f3n Mediante una Clave Controlada por el Usuario en el repositorio GitHub emicklei/go-restful versiones anteriores a v3.8.0\"}]",
      "id": "CVE-2022-1996",
      "lastModified": "2024-11-21T06:41:54.873",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}], \"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.8}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-06-08T13:15:07.987",
      "references": "[{\"url\": \"https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10\", \"source\": \"security@huntr.dev\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1\", \"source\": \"security@huntr.dev\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20220923-0005/\", \"source\": \"security@huntr.dev\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20220923-0005/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@huntr.dev",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@huntr.dev\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-1996\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2022-06-08T13:15:07.987\",\"lastModified\":\"2024-11-21T06:41:54.873\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.\"},{\"lang\":\"es\",\"value\":\"Una Omisi\u00f3n de la Autorizaci\u00f3n Mediante una Clave Controlada por el Usuario en el repositorio GitHub emicklei/go-restful versiones anteriores a v3.8.0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.8}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:go-restful_project:go-restful:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.16.0\",\"matchCriteriaId\":\"23CD29C7-E4EC-47EF-8D44-4976CC43789C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:go-restful_project:go-restful:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.8.0\",\"matchCriteriaId\":\"9244D03B-7D8E-4215-9BBC-0E78B70C4EEC\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]}],\"references\":[{\"url\":\"https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20220923-0005/\",\"source\":\"security@huntr.dev\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20220923-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

CERTFR-2024-AVI-0459

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	N/A	IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions postérieures à 3.5 et antérieures à 4.8.5
IBM	N/A	DevOps Code ClearCase versions 11.0.x sans le dernier correctif de sécurité
IBM	N/A	Rational ClearCase versions 9.1.x et 10.0.0.x sans le dernier correctif de sécurité

References

Title

Publication Time

CERTFR-2024-AVI-0459

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	N/A	IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions postérieures à 3.5 et antérieures à 4.8.5
IBM	N/A	DevOps Code ClearCase versions 11.0.x sans le dernier correctif de sécurité
IBM	N/A	Rational ClearCase versions 9.1.x et 10.0.0.x sans le dernier correctif de sécurité

References

Title

Publication Time

BDU:2022-04072

Vulnerability from fstec - Published: 08.06.2022

Title

Уязвимость программного средства создания веб-служб go-restful, связанная с обходом авторизации посредством ключа, контролируемого пользователем, позволяющая наруштителю повысить свои привилегии

Description

Уязвимость программного средства создания веб-служб go-restful связана с обходом авторизации посредством ключа, контролируемого пользователем. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, повысить свои привилегии

Severity


                    
                      AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Vendor

Red Hat Inc., Fedora Project, Сообщество свободного программного обеспечения

Software Name

Red Hat Virtualization, OpenShift Container Platform, Openshift Service Mesh, Fedora, Ansible Automation Platform, Red Hat Openshift Data Foundation, Red Hat Openshift Container Storage, go-restful

Software Version

4 (Red Hat Virtualization), 3.11 (OpenShift Container Platform), 4 (OpenShift Container Platform), 2 (Openshift Service Mesh), 35 (Fedora), 1.2 (Ansible Automation Platform), 2.0 (Ansible Automation Platform), 4 (Red Hat Openshift Data Foundation), 36 (Fedora), 4 (Red Hat Openshift Container Storage), 2.1.0 (Openshift Service Mesh), до 3.8.0 (go-restful)

Possible Mitigations

Использование рекомендаций: Для emicklei/go-restful: https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 Для Fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/ Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/CVE-2022-1996

Reference

https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/ https://access.redhat.com/security/cve/CVE-2022-1996

CWE

CWE-639

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., Fedora Project, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "4 (Red Hat Virtualization), 3.11 (OpenShift Container Platform), 4 (OpenShift Container Platform), 2 (Openshift Service Mesh), 35 (Fedora), 1.2 (Ansible Automation Platform), 2.0 (Ansible Automation Platform), 4 (Red Hat Openshift Data Foundation), 36 (Fedora), 4 (Red Hat Openshift Container Storage), 2.1.0 (Openshift Service Mesh), \u0434\u043e 3.8.0 (go-restful)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f emicklei/go-restful:\nhttps://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10\n\n\u0414\u043b\u044f Fedora:\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2022-1996",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "08.06.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "04.07.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.07.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-04072",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-1996",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Virtualization, OpenShift Container Platform, Openshift Service Mesh, Fedora, Ansible Automation Platform, Red Hat Openshift Data Foundation, Red Hat Openshift Container Storage, go-restful",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Fedora Project Fedora 35 , Fedora Project Fedora 36 ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0432\u0435\u0431-\u0441\u043b\u0443\u0436\u0431 go-restful, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u043a\u043b\u044e\u0447\u0430, \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0442\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041e\u0431\u0445\u043e\u0434 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u043a\u043b\u044e\u0447\u0430, \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c (CWE-639)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0432\u0435\u0431-\u0441\u043b\u0443\u0436\u0431 go-restful \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u043a\u043b\u044e\u0447\u0430, \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10\nhttps://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/\nhttps://access.redhat.com/security/cve/CVE-2022-1996",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-639",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,4)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,3)"
}

cleanstart-2026-hv28992

Vulnerability from cleanstart

Published

2026-01-30 15:55

Modified

2026-01-29 18:58

Summary

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3

Details

Multiple security vulnerabilities affect the cert-manager-webhook-pdns-fips package. Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3. See references for individual vulnerability details.

Severity

9.8 (Critical)


                    
                      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2022-1996	WEB
	https://osv.dev/vulnerability/CVE-2022-27191	WEB
	https://osv.dev/vulnerability/CVE-2022-27664	WEB
	https://osv.dev/vulnerability/CVE-2022-28948	WEB
	https://osv.dev/vulnerability/CVE-2022-29526	WEB
	https://osv.dev/vulnerability/CVE-2022-30636	WEB
	https://osv.dev/vulnerability/CVE-2022-32149	WEB
	https://osv.dev/vulnerability/CVE-2023-44487	WEB
	https://osv.dev/vulnerability/CVE-2024-12401	WEB
	https://osv.dev/vulnerability/CVE-2024-24786	WEB
	https://osv.dev/vulnerability/GHSA-M425-MQ94-257G	WEB
	https://osv.dev/vulnerability/GHSA-R4PG-VG54-WXX4	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-1996	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-27191	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-27664	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-28948	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-29526	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-30636	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-32149	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-44487	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-12401	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-24786	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "cert-manager-webhook-pdns-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the cert-manager-webhook-pdns-fips package. Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-HV28992",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T15:55:24.450018Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-HV28992"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-1996"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-27191"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-27664"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-28948"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-29526"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-30636"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-32149"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-44487"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-12401"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-24786"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-M425-MQ94-257G"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-R4PG-VG54-WXX4"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1996"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27191"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28948"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30636"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12401"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3",
  "upstream": [
    "CVE-2022-1996",
    "CVE-2022-27191",
    "CVE-2022-27664",
    "CVE-2022-28948",
    "CVE-2022-29526",
    "CVE-2022-30636",
    "CVE-2022-32149",
    "CVE-2023-44487",
    "CVE-2024-12401",
    "CVE-2024-24786",
    "GHSA-M425-MQ94-257G",
    "GHSA-R4PG-VG54-WXX4"
  ]
}

cleanstart-2026-ys66739

Vulnerability from cleanstart

Published

2026-01-30 15:00

Modified

2026-01-29 18:58

Summary

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3

Details

Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3. See references for individual vulnerability details.

Severity

9.8 (Critical)


                    
                      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2022-1996	WEB
	https://osv.dev/vulnerability/CVE-2025-47907	WEB
	https://osv.dev/vulnerability/GHSA-3hfq-cx9j-923w	WEB
	https://osv.dev/vulnerability/GHSA-459x-q9hg-4gpq	WEB
	https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9	WEB
	https://osv.dev/vulnerability/GHSA-hgv6-w7r3-w4qw	WEB
	https://osv.dev/vulnerability/GHSA-jrr2-x33p-6hvc	WEB
	https://osv.dev/vulnerability/GHSA-r5p3-955p-5ggq	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-1996	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-47907	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "kyverno-policy-reporter-kyverno-plugin-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1-r6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-YS66739",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T15:00:53.250874Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-YS66739.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-1996"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-47907"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-3hfq-cx9j-923w"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-459x-q9hg-4gpq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-hgv6-w7r3-w4qw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-jrr2-x33p-6hvc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-r5p3-955p-5ggq"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1996"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3",
  "upstream": [
    "CVE-2022-1996",
    "CVE-2025-47907",
    "GHSA-3hfq-cx9j-923w",
    "GHSA-459x-q9hg-4gpq",
    "GHSA-6v2p-p543-phr9",
    "GHSA-hgv6-w7r3-w4qw",
    "GHSA-jrr2-x33p-6hvc",
    "GHSA-r5p3-955p-5ggq"
  ]
}

FKIE_CVE-2022-1996

Vulnerability from fkie_nvd - Published: 2022-06-08 13:15 - Updated: 2024-11-21 06:41

Severity

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.

References

URL	Tags
security@huntr.dev	https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10	Patch, Third Party Advisory
security@huntr.dev	https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1	Exploit, Patch, Third Party Advisory
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
security@huntr.dev	https://security.netapp.com/advisory/ntap-20220923-0005/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20220923-0005/	Third Party Advisory

Impacted products

Vendor	Product	Version
go-restful_project	go-restful	*
go-restful_project	go-restful	*
fedoraproject	fedora	35
fedoraproject	fedora	36

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:go-restful_project:go-restful:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "23CD29C7-E4EC-47EF-8D44-4976CC43789C",
              "versionEndExcluding": "2.16.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:go-restful_project:go-restful:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9244D03B-7D8E-4215-9BBC-0E78B70C4EEC",
              "versionEndExcluding": "3.8.0",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0."
    },
    {
      "lang": "es",
      "value": "Una Omisi\u00f3n de la Autorizaci\u00f3n Mediante una Clave Controlada por el Usuario en el repositorio GitHub emicklei/go-restful versiones anteriores a v3.8.0"
    }
  ],
  "id": "CVE-2022-1996",
  "lastModified": "2024-11-21T06:41:54.873",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.8,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-06-08T13:15:07.987",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220923-0005/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220923-0005/"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GHSA-R48Q-9G5R-8Q2H

Vulnerability from github – Published: 2022-06-09 00:00 – Updated: 2022-06-17 18:18

Summary

Authorization Bypass Through User-Controlled Key in go-restful

Details

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.

Severity

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/emicklei/go-restful/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/emicklei/go-restful"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/emicklei/go-restful/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-09T23:50:21Z",
    "nvd_published_at": "2022-06-08T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
  "id": "GHSA-r48q-9g5r-8q2h",
  "modified": "2022-06-17T18:18:04Z",
  "published": "2022-06-09T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emicklei/go-restful/issues/489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emicklei/go-restful/commit/926662532deb450272956c7bc573978464aae74e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220923-0005"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0619"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/emicklei/go-restful"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorization Bypass Through User-Controlled Key in go-restful"
}

GSD-2022-1996

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.

Aliases

CVE-2022-1996

Aliases

CVE-2022-1996

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-1996",
    "description": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
    "id": "GSD-2022-1996",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-1996.html",
      "https://access.redhat.com/errata/RHSA-2022:6040",
      "https://access.redhat.com/errata/RHSA-2022:6042",
      "https://alas.aws.amazon.com/cve/html/CVE-2022-1996.html",
      "https://access.redhat.com/errata/RHSA-2022:6351",
      "https://access.redhat.com/errata/RHSA-2022:8609",
      "https://access.redhat.com/errata/RHSA-2023:0814"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-1996"
      ],
      "details": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
      "id": "GSD-2022-1996",
      "modified": "2023-12-13T01:19:28.595722Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.dev",
        "ID": "CVE-2022-1996",
        "STATE": "PUBLIC",
        "TITLE": "Authorization Bypass Through User-Controlled Key in emicklei/go-restful"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "emicklei/go-restful",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "v3.8.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "emicklei"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-639 Authorization Bypass Through User-Controlled Key"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1",
            "refsource": "CONFIRM",
            "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
          },
          {
            "name": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10",
            "refsource": "MISC",
            "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
          },
          {
            "name": "FEDORA-2022-185697ef56",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/"
          },
          {
            "name": "FEDORA-2022-589a0ad690",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/"
          },
          {
            "name": "FEDORA-2022-fae3ecee19",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"
          },
          {
            "name": "FEDORA-2022-ba365d3703",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/"
          },
          {
            "name": "FEDORA-2022-30c5ed5625",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20220923-0005/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20220923-0005/"
          },
          {
            "name": "FEDORA-2023-6550d9323b",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/"
          },
          {
            "name": "FEDORA-2023-4e2068ba5d",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/"
          },
          {
            "name": "FEDORA-2023-c9b2182a4e",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/"
          }
        ]
      },
      "source": {
        "advisory": "be837427-415c-4d8c-808b-62ce20aa84f1",
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv2.16.0 || \u003e=v3.0.0 \u003cv3.8.0",
          "affected_versions": "All versions before 2.16.0, all versions starting from 3.0.0 before 3.8.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-639",
            "CWE-937"
          ],
          "date": "2023-02-23",
          "description": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
          "fixed_versions": [
            "v2.16.0",
            "v3.8.0"
          ],
          "identifier": "CVE-2022-1996",
          "identifiers": [
            "CVE-2022-1996",
            "GHSA-r48q-9g5r-8q2h"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/emicklei/go-restful",
          "pubdate": "2022-06-08",
          "solution": "Upgrade to versions 2.16.0, 3.8.0 or above.",
          "title": "Authorization Bypass Through User-Controlled Key in go-restful",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-1996",
            "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10",
            "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1",
            "https://github.com/emicklei/go-restful/issues/489",
            "https://github.com/advisories/GHSA-r48q-9g5r-8q2h"
          ],
          "uuid": "5b334f94-b462-4a82-a6d7-0a33dbf75a52",
          "versions": [
            {
              "commit": {
                "sha": "8ed6b2ad87c8242589da4e1aa62ca62a130bdb39",
                "tags": [
                  "v3.0.0"
                ],
                "timestamp": "20200112161832"
              },
              "number": "v3.0.0"
            },
            {
              "commit": {
                "sha": "3382802bdf11d941f12ad48e4cfe36f09a7dd423",
                "tags": [
                  "v3.8.0"
                ],
                "timestamp": "20220606055442"
              },
              "number": "v3.8.0"
            },
            {
              "commit": {
                "sha": "eed2f02e675e29756d5616fc6ff8018ed1d3480f",
                "tags": [
                  "v2.16.0"
                ],
                "timestamp": "20220711191456"
              },
              "number": "v2.16.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv2.16.0||\u003e=v3.0.0 \u003cv3.8.0",
          "affected_versions": "All versions before v2.16.0, all versions starting from v3.0.0 before v3.8.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937",
            "CWE-639"
          ],
          "date": "2022-07-21",
          "description": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful",
          "fixed_versions": [
            "v2.16.0",
            "v3.8.0"
          ],
          "identifier": "CVE-2022-1996",
          "identifiers": [
            "GHSA-r48q-9g5r-8q2h",
            "CVE-2022-1996"
          ],
          "not_impacted": "All versions starting from v2.16.0 before v3.0.0, all versions starting from v3.8.0",
          "package_slug": "go/github.com/emicklei/go-restful/v2",
          "pubdate": "2022-06-09",
          "solution": "Upgrade to versions 2.16.0, 3.8.0 or above.",
          "title": "Authorization Bypass Through User-Controlled Key in go-restful",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-1996",
            "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10",
            "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1",
            "https://github.com/emicklei/go-restful/issues/489",
            "https://github.com/advisories/GHSA-r48q-9g5r-8q2h"
          ],
          "uuid": "34f7f7fe-7ded-4b51-ba08-2b33cfc994b1",
          "versions": [
            {
              "commit": {
                "sha": "8ed6b2ad87c8242589da4e1aa62ca62a130bdb39",
                "tags": [
                  "v3.0.0"
                ],
                "timestamp": "20200112161832"
              },
              "number": "v3.0.0"
            },
            {
              "commit": {
                "sha": "3382802bdf11d941f12ad48e4cfe36f09a7dd423",
                "tags": [
                  "v3.8.0"
                ],
                "timestamp": "20220606055442"
              },
              "number": "v3.8.0"
            },
            {
              "commit": {
                "sha": "ac666c045e035603f2704c98c59e979fccbfa94f",
                "tags": [
                  "v2.16.0"
                ],
                "timestamp": "20220711191456"
              },
              "number": "v2.16.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv3.8.0",
          "affected_versions": "All versions before 3.8.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937",
            "CWE-639"
          ],
          "date": "2022-06-09",
          "description": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
          "fixed_versions": [
            "v3.8.0"
          ],
          "identifier": "CVE-2022-1996",
          "identifiers": [
            "GHSA-r48q-9g5r-8q2h",
            "CVE-2022-1996"
          ],
          "not_impacted": "All versions starting from 3.8.0",
          "package_slug": "go/github.com/emicklei/go-restful/v3",
          "pubdate": "2022-06-09",
          "solution": "Upgrade to version 3.8.0 or above.",
          "title": "Authorization Bypass Through User-Controlled Key in go-restful",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-1996",
            "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10",
            "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1",
            "https://github.com/emicklei/go-restful/issues/489",
            "https://github.com/advisories/GHSA-r48q-9g5r-8q2h"
          ],
          "uuid": "581a2d21-bf18-4826-913a-6e7e9f7f67ab",
          "versions": [
            {
              "commit": {
                "sha": "3382802bdf11d941f12ad48e4cfe36f09a7dd423",
                "tags": [
                  "v3.8.0"
                ],
                "timestamp": "20220606055442"
              },
              "number": "v3.8.0"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:go-restful_project:go-restful:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.8.0",
                "versionStartIncluding": "3.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:go-restful_project:go-restful:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.16.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-1996"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-639"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
            },
            {
              "name": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
            },
            {
              "name": "FEDORA-2022-185697ef56",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/"
            },
            {
              "name": "FEDORA-2022-589a0ad690",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/"
            },
            {
              "name": "FEDORA-2022-fae3ecee19",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"
            },
            {
              "name": "FEDORA-2022-ba365d3703",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/"
            },
            {
              "name": "FEDORA-2022-30c5ed5625",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220923-0005/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220923-0005/"
            },
            {
              "name": "FEDORA-2023-4e2068ba5d",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/"
            },
            {
              "name": "FEDORA-2023-6550d9323b",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/"
            },
            {
              "name": "FEDORA-2023-c9b2182a4e",
              "refsource": "FEDORA",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-02-23T04:15Z",
      "publishedDate": "2022-06-08T13:15Z"
    }
  }
}

MSRC_CVE-2022-1996

Vulnerability from csaf_microsoft - Published: 2022-06-02 00:00 - Updated: 2026-02-18 14:53

Summary

Authorization Bypass Through User-Controlled Key in emicklei/go-restful

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2022-1996

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-639 - Authorization Bypass Through User-Controlled Key

Affected products

Fixed 4 products

Product	Identifier	Version	Remediation
Unresolved product id: 20235-17084		—
Unresolved product id: 19877-17084		—
Unresolved product id: 17761-17084		—
Unresolved product id: 18528-17084		—

Known affected 4 products

Product	Version	Remediation
Unresolved product id: 17084-1	—	Vendor Fix fix
Unresolved product id: 17084-2	—	Vendor Fix fix
Unresolved product id: 17084-4	—	Vendor Fix fix
Unresolved product id: 17084-3	—	Vendor Fix fix

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2022/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2022/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-1996 Authorization Bypass Through User-Controlled Key in emicklei/go-restful - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-1996.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Authorization Bypass Through User-Controlled Key in emicklei/go-restful",
    "tracking": {
      "current_release_date": "2026-02-18T14:53:30.000Z",
      "generator": {
        "date": "2026-02-21T10:36:33.500Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-1996",
      "initial_release_date": "2022-06-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-06-30T07:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2024-08-29T00:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Information published."
        },
        {
          "date": "2024-08-30T00:00:00.000Z",
          "legacy_version": "1.2",
          "number": "3",
          "summary": "Information published."
        },
        {
          "date": "2024-08-31T00:00:00.000Z",
          "legacy_version": "1.3",
          "number": "4",
          "summary": "Information published."
        },
        {
          "date": "2024-09-01T00:00:00.000Z",
          "legacy_version": "1.4",
          "number": "5",
          "summary": "Information published."
        },
        {
          "date": "2024-09-02T00:00:00.000Z",
          "legacy_version": "1.5",
          "number": "6",
          "summary": "Information published."
        },
        {
          "date": "2024-09-03T00:00:00.000Z",
          "legacy_version": "1.6",
          "number": "7",
          "summary": "Information published."
        },
        {
          "date": "2024-09-05T00:00:00.000Z",
          "legacy_version": "1.7",
          "number": "8",
          "summary": "Information published."
        },
        {
          "date": "2024-09-06T00:00:00.000Z",
          "legacy_version": "1.8",
          "number": "9",
          "summary": "Information published."
        },
        {
          "date": "2024-09-07T00:00:00.000Z",
          "legacy_version": "1.9",
          "number": "10",
          "summary": "Information published."
        },
        {
          "date": "2024-09-08T00:00:00.000Z",
          "legacy_version": "2",
          "number": "11",
          "summary": "Information published."
        },
        {
          "date": "2024-09-11T00:00:00.000Z",
          "legacy_version": "2.1",
          "number": "12",
          "summary": "Information published."
        },
        {
          "date": "2026-02-18T14:53:30.000Z",
          "legacy_version": "2.2",
          "number": "13",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "13"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 sriov-network-device-plugin 3.5.1-3",
                "product": {
                  "name": "\u003cazl3 sriov-network-device-plugin 3.5.1-3",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 sriov-network-device-plugin 3.5.1-3",
                "product": {
                  "name": "azl3 sriov-network-device-plugin 3.5.1-3",
                  "product_id": "20235"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 sriov-network-device-plugin 3.7.0-1",
                "product": {
                  "name": "\u003cazl3 sriov-network-device-plugin 3.7.0-1",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 sriov-network-device-plugin 3.7.0-1",
                "product": {
                  "name": "azl3 sriov-network-device-plugin 3.7.0-1",
                  "product_id": "18528"
                }
              }
            ],
            "category": "product_name",
            "name": "sriov-network-device-plugin"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 keda 2.4.0-15",
                "product": {
                  "name": "\u003cazl3 keda 2.4.0-15",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 keda 2.4.0-15",
                "product": {
                  "name": "azl3 keda 2.4.0-15",
                  "product_id": "19877"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 keda 2.14.0-1",
                "product": {
                  "name": "\u003cazl3 keda 2.14.0-1",
                  "product_id": "4"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 keda 2.14.0-1",
                "product": {
                  "name": "azl3 keda 2.14.0-1",
                  "product_id": "17761"
                }
              }
            ],
            "category": "product_name",
            "name": "keda"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 sriov-network-device-plugin 3.5.1-3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 sriov-network-device-plugin 3.5.1-3 as a component of Azure Linux 3.0",
          "product_id": "20235-17084"
        },
        "product_reference": "20235",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 keda 2.4.0-15 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 keda 2.4.0-15 as a component of Azure Linux 3.0",
          "product_id": "19877-17084"
        },
        "product_reference": "19877",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 keda 2.14.0-1 as a component of Azure Linux 3.0",
          "product_id": "17084-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 keda 2.14.0-1 as a component of Azure Linux 3.0",
          "product_id": "17761-17084"
        },
        "product_reference": "17761",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 sriov-network-device-plugin 3.7.0-1 as a component of Azure Linux 3.0",
          "product_id": "17084-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 sriov-network-device-plugin 3.7.0-1 as a component of Azure Linux 3.0",
          "product_id": "18528-17084"
        },
        "product_reference": "18528",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-1996",
      "cwe": {
        "id": "CWE-639",
        "name": "Authorization Bypass Through User-Controlled Key"
      },
      "notes": [
        {
          "category": "general",
          "text": "@huntrdev",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "20235-17084",
          "19877-17084",
          "17761-17084",
          "18528-17084"
        ],
        "known_affected": [
          "17084-1",
          "17084-2",
          "17084-4",
          "17084-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-1996 Authorization Bypass Through User-Controlled Key in emicklei/go-restful - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-1996.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-06-30T07:00:00.000Z",
          "details": "3.7.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-1",
            "17084-3"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2024-06-30T07:00:00.000Z",
          "details": "2.14.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-2",
            "17084-4"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.1,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "17084-1",
            "17084-2",
            "17084-4",
            "17084-3"
          ]
        }
      ],
      "title": "Authorization Bypass Through User-Controlled Key in emicklei/go-restful"
    }
  ]
}

OPENSUSE-SU-2022:10081-1

Vulnerability from csaf_opensuse - Published: 2022-08-06 16:01 - Updated: 2022-08-06 16:01

Summary

Security update for trivy

Severity

Moderate

Notes

Title of the patch: Security update for trivy

Description of the patch: This update for trivy fixes the following issues: trivy was updated to version 0.30.4: * fix: remove the first arg when running as a plugin (#2595) * fix: k8s controlplaner scanning (#2593) * fix(vuln): GitLab report template (#2578) Update to version 0.30.3: * fix(server): use a new db worker for hot updates (#2581) * docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583) * docs: split commands to download db for different versions of oras (#2582) * feat(report): export exitcode for license checks (#2564) * fix: cli can use lowercase for severities (#2565) * fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577) * fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569) * fix: enable some features of the wasm runtime (#2575) * fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521) * docs(sbom): improve sbom attestation documentation (#2566) Update to version 0.30.2: * fix(report): show the summary without results (#2548) * fix(cli): replace '-' to '_' for env vars (#2561) Update to version 0.30.1: * chore: remove a test repository (#2551) * fix(license): lazy loading of classifiers (#2547) * fix: CVE-2022-1996 in Trivy (#2499) * docs(sbom): add sbom attestation (#2527) * feat(rocky): set Rocky Linux 9 EOL (#2543) * docs: add attributes to the video tag to autoplay demo videos (#2538) * fix: yaml files with non-string chart name (#2534) * fix: skip dirs (#2530) * feat(repo): add support for branch, commit, & tag (#2494) * fix: remove auto configure environment variables via viper (#2526) Update to version 0.30.0: * fix: separating multiple licenses from one line in dpkg copyright files (#2508) * fix: change a capital letter for `plugin uninstall` subcommand (#2519) * fix: k8s hide empty report when scanning resource (#2517) * refactor: fix comments (#2516) * fix: scan vendor dir (#2515) * feat: Add support for license scanning (#2418) * chore: add owners for secret scanning (#2485) * fix: remove dependency-tree flag for image subcommand (#2492) * fix(k8s): add shorthand for k8s namespace flag (#2495) * docs: add information about using multiple servers to troubleshooting (#2498) * ci: add pushing canary build images to registries (#2428) * feat(dotnet): add support for .Net core .deps.json files (#2487) * feat(amazon): add support for 2022 version (#2429) * Type correction bitnami chart (#2415) * docs: add config file and update CLI references (#2489) * feat: add support for flag groups (#2488) * refactor: move from urfave/cli to spf13/cobra (#2458) * fix: Fix secrets output not containing file/lines (#2467) * fix: clear output with modules (#2478) * docs(cbl): distroless 1.0 supported (#2473) * fix: Fix example dockerfile rego policy (#2460) * fix(config): add helm to list of config analyzers (#2457) * feat: k8s resouces scan (#2395) * feat(sbom): add cyclonedx sbom scan (#2203) * docs: remove links to removed content (#2431) * ci: added rpm build for rhel 9 (#2437) * fix(secret): remove space from asymmetric private key (#2434) * test(integration): fix golden files for debian 9 (#2435) * fix(cli): fix version string in docs link when secret scanning is enabled (#2422) * refactor: move CycloneDX marshaling (#2420) * docs(nodejs): add docs about pnpm support (#2423) * docs: improve k8s usage documentation (#2425) * feat: Make secrets scanning output consistant (#2410) * ci: create canary build after main branch changes (#1638) * fix(misconf): skip broken scans (#2396) * feat(nodejs): add pnpm support (#2414) * fix: Fix false positive for use of COS images (#2413) * eliminate nerdctl dependency (#2412) * Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403) * fix(go): no cast to lowercase go package names (#2401) * BREAKING(sbom): change 'trivy sbom' to scan SBOM (#2408) * fix(server): hot update the db from custom repository (#2406) * feat: added license parser for dpkg (#2381) * fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key (#2400) * feat: extract stripe publishable and secret keys (#2392) * feat: rbac support k8s sub-command (#2339) * feat(ruby): drop platform strings from dependency versions bundled with bundler v2 (#2390) * docs: Updating README with new CLI command (#2359) * fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug (#2383) * chore: add integration label and merge security label (#2316) Update to version 0.29.2: * chore: skip Visual Studio Code project folder (#2379) * fix(helm): handle charts with templated names (#2374) * docs: redirect operator docs to trivy-operator repo (#2372) * fix(secret): use secret result when determining Failed status (#2370) * try removing libdb-dev * run integration tests in fanal * use same testing images in fanal * feat(helm): add support for trivy dbRepository (#2345) * fix: Fix failing test due to deref lint issue * test: Fix broken test * fix: Fix makefile when no previous named ref is visible in a shallow clone * chore: Fix linting issues in fanal * refactor: Fix fanal import paths and remove dotfiles Update to version 0.29.1: * fix(report): add required fields to the SARIF template (#2341) * chore: fix spelling errors (#2352) * Omit Remediation if PrimaryURL is empty (#2006) * docs(repo): Link to installation documentation in readme shows 404 (#2348) * feat(alma): support for scanning of modular packages for AlmaLinux (#2347) Update to version 0.29.0: * fix(lang): fix dependency graph in client server mode (#2336) * feat: allow expiration date for .trivyignore entries (#2332) * feat(lang): add dependency origin graph (#1970) * docs: update nix installation info (#2331) * feat: add rbac scanning support (#2328) * refactor: move WordPress module to another repository (#2329) * ci: add support for ppc64le (#2281) * feat: add support for WASM modules (#2195) * feat(secret): show recommendation for slow scanning (#2051) * fix(flag): remove --clear-cache flag client mode (#2301) * fix(java): added check for looping for variable evaluation in pom file (#2322) * BREAKING(k8s): change CLI API (#2186) * feat(alpine): add Alpine Linux 3.16 (#2319) * ci: add `go mod tidy` check (#2314) * chore: run `go mod tidy` (#2313) * fix: do not exit if one resource is not found (#2311) * feat(cli): use stderr for all log messages (resolve #381) (#2289) * test: replace deprecated subcommand client in integration tests (#2308) * feat: add support for containerd (#2305) * fix(kubernetes): Support floats in manifest yaml (#2297) * docs(kubernetes): dead links (#2307) * chore: add license label (#2304) * feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293) * feat(helm): add pod annotations (#2272) * refactor: do not import defsec in fanal types package (#2292) * feat(report): Add misconfiguration support to ASFF report template (#2285) * test: use images in GHCR (#2275) * feat(helm): support pod annotations (#2265) * feat(misconf): Helm chart scanning (#2269) * docs: Update custom rego policy docs to reflect latest defsec/fanal changes (#2267) * fix: mask redis credentials when logging (#2264) * refactor: extract commands Runner interface (#2147) * docs: update operator release (#2263) * feat(redhat): added architecture check (#2172) * docs: updating links in the docs to work again (#2256) * docs: fix readme (#2251) * fix: fixed incorrect CycloneDX output format (#2255) * refactor(deps): move dependencies to package (#2189) * fix(report): change github format version to required (#2229) * docs: update readme (#2110) * docs: added information about choosing advisory database (#2212) * chore: update trivy-kubernetes (#2224) * docs: clarifying parts of the k8s docs and updating links (#2222) * fix(k8s): timeout error logging (#2179) * chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214) * feat(k8s): add --context flag (#2171) * fix(k8s): properly instantiate TableWriter (#2175) * test: fixed integration tests after updating testcontainers to v0.13.0 (#2208) * chore: update labels (#2197) * fix(report): fixed panic if all misconf reports were removed in filter (#2188) * feat(k8s): scan secrets (#2178) * feat(report): GitHub Dependency Snapshots support (#1522) * feat(db): added insecure skip tls verify to download trivy db (#2140) * fix(redhat): always use vulns with fixed version if there is one (#2165) * chore(redhat): Add support for Red Hat UBI 9. (#2183) * fix(k8s): update trivy-kubernetes (#2163) * fix misconfig start line for code quality tpl (#2181) * fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176) * docs(vuln): Include GitLab 15.0 integration (#2153) * docs: fix the operator version (#2167) * fix(k8s): summary report when when only vulns exit (#2146) * chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives in ksv038) (#2156) * perf(misconf): Improve performance when scanning very large files (#2152) * docs(misconf): Update examples and docs to refer to builtin/defsec instead of appshield (#2150) * chore(deps): Update fanal (for less verbose code in misconf results) (#2151) * docs: fixed installation instruction for rhel/centos (#2143)

Patchnames: openSUSE-2022-10081

CVE-2022-1996

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64	—	Vendor Fix

Threats

Impact critical

References

7 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://www.suse.com/security/cve/CVE-2022-1996/	self
https://www.suse.com/security/cve/CVE-2022-1996	external
https://bugzilla.suse.com/1200528	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for trivy",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for trivy fixes the following issues:\n\ntrivy was updated to version 0.30.4:\n\n* fix: remove the first arg when running as a plugin (#2595)\n* fix: k8s controlplaner scanning (#2593)\n* fix(vuln): GitLab report template (#2578)\n\nUpdate to version 0.30.3:\n\n* fix(server): use a new db worker for hot updates (#2581)\n* docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583)\n* docs: split commands to download db for different versions of oras (#2582)\n* feat(report): export exitcode for license checks (#2564)\n* fix: cli can use lowercase for severities (#2565)\n* fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577)\n* fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569)\n* fix: enable some features of the wasm runtime (#2575)\n* fix(k8s): no error logged if trivy can\u0027t get docker image in kubernetes mode (#2521)\n* docs(sbom): improve sbom attestation documentation (#2566)\n\nUpdate to version 0.30.2:\n\n* fix(report): show the summary without results (#2548)\n* fix(cli): replace \u0027-\u0027 to \u0027_\u0027 for env vars (#2561)\n\nUpdate to version 0.30.1:\n\n* chore: remove a test repository (#2551)\n* fix(license): lazy loading of classifiers (#2547)\n* fix: CVE-2022-1996 in Trivy (#2499)\n* docs(sbom): add sbom attestation (#2527)\n* feat(rocky): set Rocky Linux 9 EOL (#2543)\n* docs: add attributes to the video tag to autoplay demo videos (#2538)\n* fix: yaml files with non-string chart name (#2534)\n* fix: skip dirs (#2530)\n* feat(repo): add support for branch, commit, \u0026 tag (#2494)\n* fix: remove auto configure environment variables via viper (#2526)\n\nUpdate to version 0.30.0:\n\n* fix: separating multiple licenses from one line in dpkg copyright files (#2508)\n* fix: change a capital letter for `plugin uninstall` subcommand (#2519)\n* fix: k8s hide empty report when scanning resource (#2517)\n* refactor: fix comments (#2516)\n* fix: scan vendor dir (#2515)\n* feat: Add support for license scanning (#2418)\n* chore: add owners for secret scanning (#2485)\n* fix: remove dependency-tree flag for image subcommand (#2492)\n* fix(k8s): add shorthand for k8s namespace flag (#2495)\n* docs: add information about using multiple servers to troubleshooting (#2498)\n* ci: add pushing canary build images to registries (#2428)\n* feat(dotnet): add support for .Net core .deps.json files (#2487)\n* feat(amazon): add support for 2022 version (#2429)\n* Type correction bitnami chart (#2415)\n* docs: add config file and update CLI references (#2489)\n* feat: add support for flag groups (#2488)\n* refactor: move from urfave/cli to spf13/cobra (#2458)\n* fix: Fix secrets output not containing file/lines (#2467)\n* fix: clear output with modules (#2478)\n* docs(cbl): distroless 1.0 supported (#2473)\n* fix: Fix example dockerfile rego policy (#2460)\n* fix(config): add helm to list of config analyzers (#2457)\n* feat: k8s resouces scan (#2395)\n* feat(sbom): add cyclonedx sbom scan (#2203)\n* docs: remove links to removed content (#2431)\n* ci: added rpm build for rhel 9 (#2437)\n* fix(secret): remove space from asymmetric private key (#2434)\n* test(integration): fix golden files for debian 9 (#2435)\n* fix(cli): fix version string in docs link when secret scanning is enabled (#2422)\n* refactor: move CycloneDX marshaling (#2420)\n* docs(nodejs): add docs about pnpm support (#2423)\n* docs: improve k8s usage documentation (#2425)\n* feat: Make secrets scanning output consistant (#2410)\n* ci: create canary build after main branch changes  (#1638)\n* fix(misconf): skip broken scans (#2396)\n* feat(nodejs): add pnpm support (#2414)\n* fix: Fix false positive for use of COS images (#2413)\n* eliminate nerdctl dependency (#2412)\n* Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403)\n* fix(go): no cast to lowercase go package names (#2401)\n* BREAKING(sbom): change \u0027trivy sbom\u0027 to scan SBOM (#2408)\n* fix(server): hot update the db from custom repository (#2406)\n* feat: added license parser for dpkg (#2381)\n* fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key (#2400)\n* feat: extract stripe publishable and secret keys (#2392)\n* feat: rbac support k8s sub-command (#2339)\n* feat(ruby): drop platform strings from dependency versions bundled with bundler v2 (#2390)\n* docs: Updating README with new CLI command (#2359)\n* fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug (#2383)\n* chore: add integration label and merge security label (#2316)\n\nUpdate to version 0.29.2:\n\n* chore: skip Visual Studio Code project folder (#2379)\n* fix(helm): handle charts with templated names (#2374)\n* docs: redirect operator docs to trivy-operator repo (#2372)\n* fix(secret): use secret result when determining Failed status (#2370)\n* try removing libdb-dev\n* run integration tests in fanal\n* use same testing images in fanal\n* feat(helm): add support for trivy dbRepository (#2345)\n* fix: Fix failing test due to deref lint issue\n* test: Fix broken test\n* fix: Fix makefile when no previous named ref is visible in a shallow clone\n* chore: Fix linting issues in fanal\n* refactor: Fix fanal import paths and remove dotfiles\n\nUpdate to version 0.29.1:\n\n* fix(report): add required fields to the SARIF template (#2341)\n* chore: fix spelling errors (#2352)\n* Omit Remediation if PrimaryURL is empty (#2006)\n* docs(repo): Link to installation documentation in readme shows 404 (#2348)\n* feat(alma): support for scanning of modular packages for AlmaLinux (#2347)\n\nUpdate to version 0.29.0:\n\n* fix(lang): fix dependency graph in client server mode (#2336)\n* feat: allow expiration date for .trivyignore entries (#2332)\n* feat(lang): add dependency origin graph (#1970)\n* docs: update nix installation info (#2331)\n* feat: add rbac scanning support (#2328)\n* refactor: move WordPress module to another repository (#2329)\n* ci: add support for ppc64le (#2281)\n* feat: add support for WASM modules (#2195)\n* feat(secret): show recommendation for slow scanning (#2051)\n* fix(flag): remove --clear-cache flag client mode (#2301)\n* fix(java): added check for looping for variable evaluation in pom file (#2322)\n* BREAKING(k8s): change CLI API (#2186)\n* feat(alpine): add Alpine Linux 3.16 (#2319)\n* ci: add `go mod tidy` check (#2314)\n* chore: run `go mod tidy` (#2313)\n* fix: do not exit if one resource is not found (#2311)\n* feat(cli): use stderr for all log messages (resolve #381) (#2289)\n* test: replace deprecated subcommand client in integration tests (#2308)\n* feat: add support for containerd (#2305)\n* fix(kubernetes): Support floats in manifest yaml (#2297)\n* docs(kubernetes): dead links (#2307)\n* chore: add license label (#2304)\n* feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293)\n* feat(helm): add pod annotations (#2272)\n* refactor: do not import defsec in fanal types package (#2292)\n* feat(report): Add misconfiguration support to ASFF report template (#2285)\n* test: use images in GHCR (#2275)\n* feat(helm): support pod annotations (#2265)\n* feat(misconf): Helm chart scanning (#2269)\n* docs: Update custom rego policy docs to reflect latest defsec/fanal changes (#2267)\n* fix: mask redis credentials when logging (#2264)\n* refactor: extract commands Runner interface (#2147)\n* docs: update operator release (#2263)\n* feat(redhat): added architecture check (#2172)\n* docs: updating links in the docs to work again (#2256)\n* docs: fix readme (#2251)\n* fix: fixed incorrect CycloneDX output format (#2255)\n* refactor(deps): move dependencies to package (#2189)\n* fix(report): change github format version to required (#2229)\n* docs: update readme (#2110)\n* docs: added information about choosing advisory database (#2212)\n* chore: update trivy-kubernetes (#2224)\n* docs: clarifying parts of the k8s docs and updating links (#2222)\n* fix(k8s): timeout error logging (#2179)\n* chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214)\n* feat(k8s): add --context flag (#2171)\n* fix(k8s): properly instantiate TableWriter (#2175)\n* test: fixed integration tests after updating testcontainers to v0.13.0 (#2208)\n* chore: update labels (#2197)\n* fix(report): fixed panic if all misconf reports were removed in filter (#2188)\n* feat(k8s): scan secrets (#2178)\n* feat(report): GitHub Dependency Snapshots support (#1522)\n* feat(db): added insecure skip tls verify to download trivy db (#2140)\n* fix(redhat): always use vulns with fixed version if there is one (#2165)\n* chore(redhat): Add support for Red Hat UBI 9. (#2183)\n* fix(k8s): update trivy-kubernetes (#2163)\n*  fix misconfig start line for code quality tpl (#2181)\n* fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176)\n* docs(vuln): Include GitLab 15.0 integration (#2153)\n* docs: fix the operator version (#2167)\n* fix(k8s): summary report when when only vulns exit (#2146)\n* chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives in ksv038) (#2156)\n* perf(misconf): Improve performance when scanning very large files (#2152)\n* docs(misconf): Update examples and docs to refer to builtin/defsec instead of appshield (#2150)\n* chore(deps): Update fanal (for less verbose code in misconf results) (#2151)\n* docs: fixed installation instruction for rhel/centos (#2143)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2022-10081",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_10081-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2022:10081-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5HVVWQ7QWDT7GBZUAYXIWYZURAWKCEVQ/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2022:10081-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5HVVWQ7QWDT7GBZUAYXIWYZURAWKCEVQ/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-1996 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-1996/"
      }
    ],
    "title": "Security update for trivy",
    "tracking": {
      "current_release_date": "2022-08-06T16:01:16Z",
      "generator": {
        "date": "2022-08-06T16:01:16Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2022:10081-1",
      "initial_release_date": "2022-08-06T16:01:16Z",
      "revision_history": [
        {
          "date": "2022-08-06T16:01:16Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.30.4-bp154.2.6.1.aarch64",
                "product": {
                  "name": "trivy-0.30.4-bp154.2.6.1.aarch64",
                  "product_id": "trivy-0.30.4-bp154.2.6.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.30.4-bp154.2.6.1.i586",
                "product": {
                  "name": "trivy-0.30.4-bp154.2.6.1.i586",
                  "product_id": "trivy-0.30.4-bp154.2.6.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.30.4-bp154.2.6.1.s390x",
                "product": {
                  "name": "trivy-0.30.4-bp154.2.6.1.s390x",
                  "product_id": "trivy-0.30.4-bp154.2.6.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.30.4-bp154.2.6.1.x86_64",
                "product": {
                  "name": "trivy-0.30.4-bp154.2.6.1.x86_64",
                  "product_id": "trivy-0.30.4-bp154.2.6.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP4",
                "product": {
                  "name": "SUSE Package Hub 15 SP4",
                  "product_id": "SUSE Package Hub 15 SP4"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.4",
                "product": {
                  "name": "openSUSE Leap 15.4",
                  "product_id": "openSUSE Leap 15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.30.4-bp154.2.6.1.aarch64 as component of SUSE Package Hub 15 SP4",
          "product_id": "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64"
        },
        "product_reference": "trivy-0.30.4-bp154.2.6.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.30.4-bp154.2.6.1.i586 as component of SUSE Package Hub 15 SP4",
          "product_id": "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586"
        },
        "product_reference": "trivy-0.30.4-bp154.2.6.1.i586",
        "relates_to_product_reference": "SUSE Package Hub 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.30.4-bp154.2.6.1.s390x as component of SUSE Package Hub 15 SP4",
          "product_id": "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x"
        },
        "product_reference": "trivy-0.30.4-bp154.2.6.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.30.4-bp154.2.6.1.x86_64 as component of SUSE Package Hub 15 SP4",
          "product_id": "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64"
        },
        "product_reference": "trivy-0.30.4-bp154.2.6.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.30.4-bp154.2.6.1.aarch64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64"
        },
        "product_reference": "trivy-0.30.4-bp154.2.6.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.30.4-bp154.2.6.1.i586 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586"
        },
        "product_reference": "trivy-0.30.4-bp154.2.6.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.30.4-bp154.2.6.1.s390x as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x"
        },
        "product_reference": "trivy-0.30.4-bp154.2.6.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.30.4-bp154.2.6.1.x86_64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64"
        },
        "product_reference": "trivy-0.30.4-bp154.2.6.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-1996",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-1996"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64",
          "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586",
          "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x",
          "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64",
          "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64",
          "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586",
          "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x",
          "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-1996",
          "url": "https://www.suse.com/security/cve/CVE-2022-1996"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1200528 for CVE-2022-1996",
          "url": "https://bugzilla.suse.com/1200528"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64",
            "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586",
            "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x",
            "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64",
            "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64",
            "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586",
            "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x",
            "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64",
            "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586",
            "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x",
            "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64",
            "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64",
            "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586",
            "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x",
            "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-08-06T16:01:16Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2022-1996"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-1996 (GCVE-0-2022-1996)

Solutions

Solutions

Vulnerability from cleanstart

Vulnerability from cleanstart

Tags

Sightings

Nomenclature