Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2024-41110
Vulnerability from cvelistv5
Published
2024-07-24 16:49
Modified
2024-10-13 21:03
Severity ?
EPSS score ?
Summary
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.
docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:docker:moby:19.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "19.03.15",
"status": "affected",
"version": "19.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:20.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "20.10.27",
"status": "affected",
"version": "20.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:23.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "23.0.14",
"status": "affected",
"version": "23.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:24.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "24.0.9",
"status": "affected",
"version": "24.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:25.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "25.0.5",
"status": "affected",
"version": "25.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:26.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "26.0.2",
"status": "affected",
"version": "26.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:27.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "26.1.14",
"status": "affected",
"version": "26.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:27.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"status": "affected",
"version": "27.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:26.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "26.0.2",
"status": "affected",
"version": "26.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:26.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "26.1.14",
"status": "affected",
"version": "26.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:docker:moby:27.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moby",
"vendor": "docker",
"versions": [
{
"lessThanOrEqual": "27.0.3",
"status": "affected",
"version": "27.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T03:55:30.375492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T21:01:46.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-10-13T21:03:34.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq"
},
{
"name": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191"
},
{
"name": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76"
},
{
"name": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919"
},
{
"name": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b"
},
{
"name": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0"
},
{
"name": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1"
},
{
"name": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00"
},
{
"name": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f"
},
{
"name": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801"
},
{
"name": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb"
},
{
"name": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240802-0001/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "moby",
"vendor": "moby",
"versions": [
{
"status": "affected",
"version": "\u003e= 19.03.0, \u003c= 19.03.15"
},
{
"status": "affected",
"version": "\u003e= 20.0.0, \u003c= 20.10.27"
},
{
"status": "affected",
"version": "\u003e= 23.0.0, \u003c= 23.0.14"
},
{
"status": "affected",
"version": "\u003e= 24.0.0, \u003c= 24.0.9"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c= 25.0.5"
},
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c= 26.0.2"
},
{
"status": "affected",
"version": "\u003e= 26.1.0, \u003c= 26.1.14"
},
{
"status": "affected",
"version": "\u003e= 27.0.0, \u003c= 27.0.3"
},
{
"status": "affected",
"version": "= 27.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T19:09:22.764Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq"
},
{
"name": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191"
},
{
"name": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76"
},
{
"name": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919"
},
{
"name": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b"
},
{
"name": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0"
},
{
"name": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1"
},
{
"name": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00"
},
{
"name": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f"
},
{
"name": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801"
},
{
"name": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb"
},
{
"name": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"
}
],
"source": {
"advisory": "GHSA-v23v-6jw2-98fq",
"discovery": "UNKNOWN"
},
"title": "Moby authz zero length regression"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41110",
"datePublished": "2024-07-24T16:49:53.068Z",
"dateReserved": "2024-07-15T15:53:28.321Z",
"dateUpdated": "2024-10-13T21:03:34.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-41110\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-24T17:15:11.053\",\"lastModified\":\"2024-11-21T09:32:15.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\\n\\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\\n\\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\\n\\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\\n\\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.\"},{\"lang\":\"es\",\"value\":\"Moby es un proyecto de c\u00f3digo abierto creado por Docker para la contenedorizaci\u00f3n de software. Se ha detectado una vulnerabilidad de seguridad en determinadas versiones de Docker Engine, que podr\u00eda permitir a un atacante omitir los complementos de autorizaci\u00f3n (AuthZ) en circunstancias espec\u00edficas. La probabilidad b\u00e1sica de que esto sea explotado es baja. Utilizando una solicitud de API especialmente manipulada, un cliente de Engine API podr\u00eda hacer que el daemon reenv\u00ede la solicitud o respuesta a un complemento de autorizaci\u00f3n sin el cuerpo. En determinadas circunstancias, el complemento de autorizaci\u00f3n puede permitir una solicitud que, de otro modo, habr\u00eda rechazado si se le hubiera enviado el organismo. En 2018 se descubri\u00f3 un problema de seguridad en el que un atacante pod\u00eda omitir los complementos de AuthZ mediante una solicitud API especialmente manipulada. Esto podr\u00eda dar lugar a acciones no autorizadas, incluida la escalada de privilegios. Aunque este problema se solucion\u00f3 en Docker Engine v18.09.1 en enero de 2019, la soluci\u00f3n no se traslad\u00f3 a versiones principales posteriores, lo que result\u00f3 en una regresi\u00f3n. Cualquiera que dependa de complementos de autorizaci\u00f3n que introspeccionen el cuerpo de solicitud y/o respuesta para tomar decisiones de control de acceso se ver\u00e1 potencialmente afectado. Docker EE v19.03.x y todas las versiones de Mirantis Container Runtime no son vulnerables. docker-ce v27.1.1 contiene parches para corregir la vulnerabilidad. Los parches tambi\u00e9n se han fusionado en las ramas de versi\u00f3n maestra, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0 y 26.1. Si uno no puede actualizar inmediatamente, evite usar complementos de AuthZ y/o restrinja el acceso a la API de Docker a partes confiables, siguiendo el principio de privilegio m\u00ednimo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-187\"},{\"lang\":\"en\",\"value\":\"CWE-444\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240802-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq\", \"name\": \"https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191\", \"name\": \"https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76\", \"name\": \"https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919\", \"name\": \"https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b\", \"name\": \"https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0\", \"name\": \"https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1\", \"name\": \"https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00\", \"name\": \"https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f\", \"name\": \"https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801\", \"name\": \"https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb\", \"name\": \"https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin\", \"name\": \"https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240802-0001/\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-10-13T21:03:34.392Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41110\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-26T03:55:30.375492Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:docker:moby:19.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"19.03.15\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:20.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"20.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"20.10.27\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:23.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"23.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"23.0.14\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:24.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"24.0.9\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:25.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"25.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"25.0.5\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:26.1.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"26.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"26.0.2\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:27.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"26.1.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"26.1.14\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:27.1.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"27.1.0\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:26.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"26.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"26.0.2\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:26.1.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"26.1.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"26.1.14\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:docker:moby:27.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"27.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"27.0.3\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-24T20:02:34.755Z\"}}], \"cna\": {\"title\": \"Moby authz zero length regression\", \"source\": {\"advisory\": \"GHSA-v23v-6jw2-98fq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"moby\", \"product\": \"moby\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 19.03.0, \u003c= 19.03.15\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0.0, \u003c= 20.10.27\"}, {\"status\": \"affected\", \"version\": \"\u003e= 23.0.0, \u003c= 23.0.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 24.0.0, \u003c= 24.0.9\"}, {\"status\": \"affected\", \"version\": \"\u003e= 25.0.0, \u003c= 25.0.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 26.0.0, \u003c= 26.0.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 26.1.0, \u003c= 26.1.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 27.0.0, \u003c= 27.0.3\"}, {\"status\": \"affected\", \"version\": \"= 27.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq\", \"name\": \"https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191\", \"name\": \"https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76\", \"name\": \"https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919\", \"name\": \"https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b\", \"name\": \"https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0\", \"name\": \"https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1\", \"name\": \"https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00\", \"name\": \"https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f\", \"name\": \"https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801\", \"name\": \"https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb\", \"name\": \"https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin\", \"name\": \"https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\\n\\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\\n\\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\\n\\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\\n\\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-187\", \"description\": \"CWE-187: Partial String Comparison\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-30T19:09:22.764Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-41110\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-13T21:03:34.392Z\", \"dateReserved\": \"2024-07-15T15:53:28.321Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-24T16:49:53.068Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
wid-sec-w-2024-1703
Vulnerability from csaf_certbund
Published
2024-07-23 22:00
Modified
2024-12-17 23:00
Summary
docker: Schwachstelle ermöglicht Privilegieneskalation
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Docker ist eine Open-Source-Software, die dazu verwendet werden kann, Anwendungen mithilfe von Betriebssystemvirtualisierung in Containern zu isolieren.
Angriff
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in docker ausnutzen, um seine Privilegien zu erhöhen.
Betroffene Betriebssysteme
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Docker ist eine Open-Source-Software, die dazu verwendet werden kann, Anwendungen mithilfe von Betriebssystemvirtualisierung in Containern zu isolieren.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in docker ausnutzen, um seine Privilegien zu erh\u00f6hen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-1703 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1703.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-1703 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1703"
},
{
"category": "external",
"summary": "Docker Security Advisory vom 2024-07-23",
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/"
},
{
"category": "external",
"summary": "GitHub Advisory Database",
"url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASNITRO-ENCLAVES-2024-041 vom 2024-07-31",
"url": "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2024-041.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASDOCKER-2024-040 vom 2024-07-31",
"url": "https://alas.aws.amazon.com/AL2/ALASDOCKER-2024-040.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:2709-1 vom 2024-08-02",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019086.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:2801-1 vom 2024-08-07",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019134.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:2801-2 vom 2024-08-07",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019136.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASECS-2024-042 vom 2024-09-03",
"url": "https://alas.aws.amazon.com/AL2/ALASECS-2024-042.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:3120-1 vom 2024-09-03",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019345.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2024-2630 vom 2024-09-05",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2630.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-3918 vom 2024-10-13",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2024:14446-1 vom 2024-11-02",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4IY5X4DAH24CGCGTMMLFUPNY6HNUSGO4/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4205-1 vom 2024-12-05",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019929.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4204-1 vom 2024-12-05",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/AELXIWNC3EYNC4DYGY52NQEL46H2XQNB/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4319-1 vom 2024-12-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020003.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7161-1 vom 2024-12-16",
"url": "https://ubuntu.com/security/notices/USN-7161-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4360-1 vom 2024-12-17",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/5QN46RDSEXZFITMIFYI2BFRQ6NL6TXZB/"
}
],
"source_lang": "en-US",
"title": "docker: Schwachstelle erm\u00f6glicht Privilegieneskalation",
"tracking": {
"current_release_date": "2024-12-17T23:00:00.000+00:00",
"generator": {
"date": "2024-12-18T10:19:15.131+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.10"
}
},
"id": "WID-SEC-W-2024-1703",
"initial_release_date": "2024-07-23T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-07-23T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-07-31T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2024-08-04T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-08-06T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-08-07T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-09-03T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Amazon und SUSE aufgenommen"
},
{
"date": "2024-09-05T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2024-10-13T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2024-11-03T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2024-12-05T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-12-15T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-12-16T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2024-12-17T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "13"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Desktop \u003c4.33",
"product": {
"name": "Open Source docker Desktop \u003c4.33",
"product_id": "T036415"
}
},
{
"category": "product_version",
"name": "Desktop 4.33",
"product": {
"name": "Open Source docker Desktop 4.33",
"product_id": "T036415-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:docker:docker:desktop__4.33"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=19.03.15",
"product": {
"name": "Open Source docker \u003c=19.03.15",
"product_id": "T036421"
}
},
{
"category": "product_version_range",
"name": "\u003c=19.03.15",
"product": {
"name": "Open Source docker \u003c=19.03.15",
"product_id": "T036421-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.10.27",
"product": {
"name": "Open Source docker \u003c=20.10.27",
"product_id": "T036422"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.10.27",
"product": {
"name": "Open Source docker \u003c=20.10.27",
"product_id": "T036422-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.0.14",
"product": {
"name": "Open Source docker \u003c=23.0.14",
"product_id": "T036423"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.0.14",
"product": {
"name": "Open Source docker \u003c=23.0.14",
"product_id": "T036423-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.0.9",
"product": {
"name": "Open Source docker \u003c=24.0.9",
"product_id": "T036424"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.0.9",
"product": {
"name": "Open Source docker \u003c=24.0.9",
"product_id": "T036424-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=25.0.5",
"product": {
"name": "Open Source docker \u003c=25.0.5",
"product_id": "T036425"
}
},
{
"category": "product_version_range",
"name": "\u003c=25.0.5",
"product": {
"name": "Open Source docker \u003c=25.0.5",
"product_id": "T036425-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=26.0.2",
"product": {
"name": "Open Source docker \u003c=26.0.2",
"product_id": "T036426"
}
},
{
"category": "product_version_range",
"name": "\u003c=26.0.2",
"product": {
"name": "Open Source docker \u003c=26.0.2",
"product_id": "T036426-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=26.1.4",
"product": {
"name": "Open Source docker \u003c=26.1.4",
"product_id": "T036427"
}
},
{
"category": "product_version_range",
"name": "\u003c=26.1.4",
"product": {
"name": "Open Source docker \u003c=26.1.4",
"product_id": "T036427-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=27.0.3",
"product": {
"name": "Open Source docker \u003c=27.0.3",
"product_id": "T036428"
}
},
{
"category": "product_version_range",
"name": "\u003c=27.0.3",
"product": {
"name": "Open Source docker \u003c=27.0.3",
"product_id": "T036428-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=27.1.0",
"product": {
"name": "Open Source docker \u003c=27.1.0",
"product_id": "T036429"
}
},
{
"category": "product_version_range",
"name": "\u003c=27.1.0",
"product": {
"name": "Open Source docker \u003c=27.1.0",
"product_id": "T036429-fixed"
}
}
],
"category": "product_name",
"name": "docker"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-41110",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle im AuthZ-Plugin in Docker aufgrund einer falschen Autorisierung. Dieser Fehler erlaubt es, eine API-Anfrage ohne Body zu verwenden und an das Plugin zu \u00fcbergeben. Dieses akzeptiert die Anfrage ggf. f\u00e4lschlicherweise. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um die Autorisierung zu umgehen und somit seine Privilegien zu erweitern."
}
],
"product_status": {
"known_affected": [
"2951",
"T002207",
"T036415",
"T000126",
"T027843",
"398363"
],
"last_affected": [
"T036429",
"T036425",
"T036426",
"T036427",
"T036428",
"T036421",
"T036422",
"T036423",
"T036424"
]
},
"release_date": "2024-07-23T22:00:00.000+00:00",
"title": "CVE-2024-41110"
}
]
}
WID-SEC-W-2024-1703
Vulnerability from csaf_certbund
Published
2024-07-23 22:00
Modified
2024-12-17 23:00
Summary
docker: Schwachstelle ermöglicht Privilegieneskalation
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Docker ist eine Open-Source-Software, die dazu verwendet werden kann, Anwendungen mithilfe von Betriebssystemvirtualisierung in Containern zu isolieren.
Angriff
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in docker ausnutzen, um seine Privilegien zu erhöhen.
Betroffene Betriebssysteme
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Docker ist eine Open-Source-Software, die dazu verwendet werden kann, Anwendungen mithilfe von Betriebssystemvirtualisierung in Containern zu isolieren.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in docker ausnutzen, um seine Privilegien zu erh\u00f6hen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-1703 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1703.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-1703 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1703"
},
{
"category": "external",
"summary": "Docker Security Advisory vom 2024-07-23",
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/"
},
{
"category": "external",
"summary": "GitHub Advisory Database",
"url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASNITRO-ENCLAVES-2024-041 vom 2024-07-31",
"url": "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2024-041.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASDOCKER-2024-040 vom 2024-07-31",
"url": "https://alas.aws.amazon.com/AL2/ALASDOCKER-2024-040.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:2709-1 vom 2024-08-02",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019086.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:2801-1 vom 2024-08-07",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019134.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:2801-2 vom 2024-08-07",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-August/019136.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASECS-2024-042 vom 2024-09-03",
"url": "https://alas.aws.amazon.com/AL2/ALASECS-2024-042.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:3120-1 vom 2024-09-03",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-September/019345.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2024-2630 vom 2024-09-05",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2630.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-3918 vom 2024-10-13",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2024:14446-1 vom 2024-11-02",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4IY5X4DAH24CGCGTMMLFUPNY6HNUSGO4/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4205-1 vom 2024-12-05",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019929.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4204-1 vom 2024-12-05",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/AELXIWNC3EYNC4DYGY52NQEL46H2XQNB/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4319-1 vom 2024-12-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020003.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7161-1 vom 2024-12-16",
"url": "https://ubuntu.com/security/notices/USN-7161-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:4360-1 vom 2024-12-17",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/5QN46RDSEXZFITMIFYI2BFRQ6NL6TXZB/"
}
],
"source_lang": "en-US",
"title": "docker: Schwachstelle erm\u00f6glicht Privilegieneskalation",
"tracking": {
"current_release_date": "2024-12-17T23:00:00.000+00:00",
"generator": {
"date": "2024-12-18T10:19:15.131+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.10"
}
},
"id": "WID-SEC-W-2024-1703",
"initial_release_date": "2024-07-23T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-07-23T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-07-31T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2024-08-04T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-08-06T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-08-07T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-09-03T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Amazon und SUSE aufgenommen"
},
{
"date": "2024-09-05T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2024-10-13T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2024-11-03T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2024-12-05T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-12-15T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-12-16T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2024-12-17T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "13"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Desktop \u003c4.33",
"product": {
"name": "Open Source docker Desktop \u003c4.33",
"product_id": "T036415"
}
},
{
"category": "product_version",
"name": "Desktop 4.33",
"product": {
"name": "Open Source docker Desktop 4.33",
"product_id": "T036415-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:docker:docker:desktop__4.33"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=19.03.15",
"product": {
"name": "Open Source docker \u003c=19.03.15",
"product_id": "T036421"
}
},
{
"category": "product_version_range",
"name": "\u003c=19.03.15",
"product": {
"name": "Open Source docker \u003c=19.03.15",
"product_id": "T036421-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.10.27",
"product": {
"name": "Open Source docker \u003c=20.10.27",
"product_id": "T036422"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.10.27",
"product": {
"name": "Open Source docker \u003c=20.10.27",
"product_id": "T036422-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.0.14",
"product": {
"name": "Open Source docker \u003c=23.0.14",
"product_id": "T036423"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.0.14",
"product": {
"name": "Open Source docker \u003c=23.0.14",
"product_id": "T036423-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.0.9",
"product": {
"name": "Open Source docker \u003c=24.0.9",
"product_id": "T036424"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.0.9",
"product": {
"name": "Open Source docker \u003c=24.0.9",
"product_id": "T036424-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=25.0.5",
"product": {
"name": "Open Source docker \u003c=25.0.5",
"product_id": "T036425"
}
},
{
"category": "product_version_range",
"name": "\u003c=25.0.5",
"product": {
"name": "Open Source docker \u003c=25.0.5",
"product_id": "T036425-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=26.0.2",
"product": {
"name": "Open Source docker \u003c=26.0.2",
"product_id": "T036426"
}
},
{
"category": "product_version_range",
"name": "\u003c=26.0.2",
"product": {
"name": "Open Source docker \u003c=26.0.2",
"product_id": "T036426-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=26.1.4",
"product": {
"name": "Open Source docker \u003c=26.1.4",
"product_id": "T036427"
}
},
{
"category": "product_version_range",
"name": "\u003c=26.1.4",
"product": {
"name": "Open Source docker \u003c=26.1.4",
"product_id": "T036427-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=27.0.3",
"product": {
"name": "Open Source docker \u003c=27.0.3",
"product_id": "T036428"
}
},
{
"category": "product_version_range",
"name": "\u003c=27.0.3",
"product": {
"name": "Open Source docker \u003c=27.0.3",
"product_id": "T036428-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=27.1.0",
"product": {
"name": "Open Source docker \u003c=27.1.0",
"product_id": "T036429"
}
},
{
"category": "product_version_range",
"name": "\u003c=27.1.0",
"product": {
"name": "Open Source docker \u003c=27.1.0",
"product_id": "T036429-fixed"
}
}
],
"category": "product_name",
"name": "docker"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-41110",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle im AuthZ-Plugin in Docker aufgrund einer falschen Autorisierung. Dieser Fehler erlaubt es, eine API-Anfrage ohne Body zu verwenden und an das Plugin zu \u00fcbergeben. Dieses akzeptiert die Anfrage ggf. f\u00e4lschlicherweise. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um die Autorisierung zu umgehen und somit seine Privilegien zu erweitern."
}
],
"product_status": {
"known_affected": [
"2951",
"T002207",
"T036415",
"T000126",
"T027843",
"398363"
],
"last_affected": [
"T036429",
"T036425",
"T036426",
"T036427",
"T036428",
"T036421",
"T036422",
"T036423",
"T036424"
]
},
"release_date": "2024-07-23T22:00:00.000+00:00",
"title": "CVE-2024-41110"
}
]
}
wid-sec-w-2025-0001
Vulnerability from csaf_certbund
Published
2025-01-01 23:00
Modified
2025-01-06 23:00
Summary
IBM DB2: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.
Angriff
Ein entfernter oder lokaler Angreifer kann mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data ausnutzen, um seine Privilegien zu erhöhen, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen.
Betroffene Betriebssysteme
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter oder lokaler Angreifer kann mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0001 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0001.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0001 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0001"
},
{
"category": "external",
"summary": "IBM Security Bulletin vom 2025-01-01",
"url": "https://www.ibm.com/support/pages/node/7180105"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7180361 vom 2025-01-07",
"url": "https://www.ibm.com/support/pages/node/7180361"
}
],
"source_lang": "en-US",
"title": "IBM DB2: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-01-06T23:00:00.000+00:00",
"generator": {
"date": "2025-01-07T11:42:20.646+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.10"
}
},
"id": "WID-SEC-W-2025-0001",
"initial_release_date": "2025-01-01T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-01-01T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-01-06T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.1.0",
"product": {
"name": "IBM DB2 \u003c5.1.0",
"product_id": "T039987"
}
},
{
"category": "product_version",
"name": "5.1.0",
"product": {
"name": "IBM DB2 5.1.0",
"product_id": "T039987-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:5.1.0"
}
}
},
{
"category": "product_version_range",
"name": "Warehouse \u003c5.1.0",
"product": {
"name": "IBM DB2 Warehouse \u003c5.1.0",
"product_id": "T039988"
}
},
{
"category": "product_version",
"name": "Warehouse 5.1.0",
"product": {
"name": "IBM DB2 Warehouse 5.1.0",
"product_id": "T039988-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:warehouse__5.1.0"
}
}
}
],
"category": "product_name",
"name": "DB2"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c10.1.6.4",
"product": {
"name": "IBM Spectrum Protect Plus \u003c10.1.6.4",
"product_id": "T040030"
}
},
{
"category": "product_version",
"name": "10.1.6.4",
"product": {
"name": "IBM Spectrum Protect Plus 10.1.6.4",
"product_id": "T040030-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_protect_plus:10.1.6.4"
}
}
}
],
"category": "product_name",
"name": "Spectrum Protect Plus"
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-32740",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2021-32740"
},
{
"cve": "CVE-2021-41186",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2021-41186"
},
{
"cve": "CVE-2022-0759",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2022-0759"
},
{
"cve": "CVE-2022-24795",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2022-24795"
},
{
"cve": "CVE-2022-31163",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2022-31163"
},
{
"cve": "CVE-2023-39325",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2023-39325"
},
{
"cve": "CVE-2023-41993",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2023-41993"
},
{
"cve": "CVE-2023-45283",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2023-45283"
},
{
"cve": "CVE-2023-45288",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2023-45288"
},
{
"cve": "CVE-2023-6597",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2023-6597"
},
{
"cve": "CVE-2024-0406",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-0406"
},
{
"cve": "CVE-2024-20918",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-20918"
},
{
"cve": "CVE-2024-20952",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-20952"
},
{
"cve": "CVE-2024-2398",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-2398"
},
{
"cve": "CVE-2024-24786",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-24786"
},
{
"cve": "CVE-2024-27281",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-27281"
},
{
"cve": "CVE-2024-2961",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-2961"
},
{
"cve": "CVE-2024-29857",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-29857"
},
{
"cve": "CVE-2024-33599",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-33599"
},
{
"cve": "CVE-2024-33883",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-33883"
},
{
"cve": "CVE-2024-37370",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-37370"
},
{
"cve": "CVE-2024-37371",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-37371"
},
{
"cve": "CVE-2024-37890",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-37890"
},
{
"cve": "CVE-2024-39338",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-39338"
},
{
"cve": "CVE-2024-4068",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-4068"
},
{
"cve": "CVE-2024-41110",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-41110"
},
{
"cve": "CVE-2024-41123",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-41123"
},
{
"cve": "CVE-2024-41946",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-41946"
},
{
"cve": "CVE-2024-45296",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-45296"
},
{
"cve": "CVE-2024-45491",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-45491"
},
{
"cve": "CVE-2024-45590",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-45590"
},
{
"cve": "CVE-2024-47220",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-47220"
},
{
"cve": "CVE-2024-47554",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-47554"
},
{
"cve": "CVE-2024-6119",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-6119"
},
{
"cve": "CVE-2024-6345",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data. Diese existieren wegen unsachgem\u00e4\u00dfer \u00dcberpr\u00fcfungen, sowie Fehlern in der Speicherbehandlung, Eingabevalidierung und Berechtigungsverwaltung bez\u00fcglich der genutzten Komponenten, wie z.B. Java SE, cURL, Bouncy Castle, Kerberos und expat. Ein entfernter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T040030",
"T039988",
"T039987"
]
},
"release_date": "2025-01-01T23:00:00.000+00:00",
"title": "CVE-2024-6345"
}
]
}
NCSC-2024-0318
Vulnerability from csaf_ncscnl
Published
2024-07-25 11:28
Modified
2024-07-25 11:28
Summary
Kwetsbaarheden verholpen in Docker Moby
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Er is een kwetsbaarheid verholpen in Docker Moby.
Interpretaties
De kwetsbaarheid stelt een kwaadwillende in staat om via een API request zijn rechten te verhogen door middel van het omzeilen van een beveiligingsmaatregel. Deze kwetsbaarheid is alleen te misbruiken als er gebruik wordt gemaakt van een AuthZ plugin om toegangsrechten te beheren.
Oplossingen
Het Docker team heeft een update uitgebracht om de kwetsbaarheid te verhelpen in Moby. Als updaten niet mogelijk is wordt door Docker geadviseerd om de plug-in uit te schakelen. Daarnaast is het goed gebruik om leastprivilege op een dergelijke API toe te passen.
Zie de referentie voor meer informatie.
Kans
medium
Schade
high
CWE-187
Partial String Comparison
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-863
Incorrect Authorization
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Er is een kwetsbaarheid verholpen in Docker Moby. ",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheid stelt een kwaadwillende in staat om via een API request zijn rechten te verhogen door middel van het omzeilen van een beveiligingsmaatregel. Deze kwetsbaarheid is alleen te misbruiken als er gebruik wordt gemaakt van een AuthZ plugin om toegangsrechten te beheren. \n\n\n",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Het Docker team heeft een update uitgebracht om de kwetsbaarheid te verhelpen in Moby. Als updaten niet mogelijk is wordt door Docker geadviseerd om de plug-in uit te schakelen. Daarnaast is het goed gebruik om leastprivilege op een dergelijke API toe te passen. \n\nZie de referentie voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Partial String Comparison",
"title": "CWE-187"
},
{
"category": "general",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41110"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41110"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/"
}
],
"title": "Kwetsbaarheden verholpen in Docker Moby ",
"tracking": {
"current_release_date": "2024-07-25T11:28:37.900721Z",
"id": "NCSC-2024-0318",
"initial_release_date": "2024-07-25T11:28:37.900721Z",
"revision_history": [
{
"date": "2024-07-25T11:28:37.900721Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510025",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___19.0.0_____19.03.15:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510026",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___20.0.0_____20.10.27:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510027",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___23.0.0_____23.0.14:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510028",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___24.0.0_____24.0.9:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510029",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___25.0.0_____25.0.5:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510030",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___26.0.0_____26.0.2:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510031",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___26.1.0_____26.1.14:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510032",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___27.0.0_____27.0.3:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510033",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:__27.1.0:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "moby"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-41110",
"cwe": {
"id": "CWE-187",
"name": "Partial String Comparison"
},
"notes": [
{
"category": "other",
"text": "Partial String Comparison",
"title": "CWE-187"
},
{
"category": "other",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1510025",
"CSAFPID-1510026",
"CSAFPID-1510027",
"CSAFPID-1510028",
"CSAFPID-1510029",
"CSAFPID-1510030",
"CSAFPID-1510031",
"CSAFPID-1510032",
"CSAFPID-1510033"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-41110",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-41110.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1510025",
"CSAFPID-1510026",
"CSAFPID-1510027",
"CSAFPID-1510028",
"CSAFPID-1510029",
"CSAFPID-1510030",
"CSAFPID-1510031",
"CSAFPID-1510032",
"CSAFPID-1510033"
]
}
],
"title": "CVE-2024-41110"
}
]
}
NCSC-2024-0339
Vulnerability from csaf_ncscnl
Published
2024-08-13 18:23
Modified
2024-08-13 18:23
Summary
Kwetsbaarheden verholpen in Microsoft Mariner
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Microsoft heeft kwetsbaarheden verholpen in Mariner (Azure Linux).
Interpretaties
De kwetsbaarheden betreffen oudere kwetsbaarheden in diverse subcomponenten van de distro, zoals Python, Emacs, Qemu, Django, Curl, wget etc. welke in de nieuwe versie zijn verholpen.
Oplossingen
Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:
https://portal.msrc.microsoft.com/en-us/security-guidance
Kans
medium
Schade
high
CWE-115
Misinterpretation of Input
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-122
Heap-based Buffer Overflow
CWE-125
Out-of-bounds Read
CWE-129
Improper Validation of Array Index
CWE-187
Partial String Comparison
CWE-190
Integer Overflow or Wraparound
CWE-191
Integer Underflow (Wrap or Wraparound)
CWE-193
Off-by-one Error
CWE-20
Improper Input Validation
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-269
Improper Privilege Management
CWE-273
Improper Check for Dropped Privileges
CWE-280
Improper Handling of Insufficient Permissions or Privileges
CWE-295
Improper Certificate Validation
CWE-297
Improper Validation of Certificate with Host Mismatch
CWE-299
Improper Check for Certificate Revocation
CWE-319
Cleartext Transmission of Sensitive Information
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-369
Divide By Zero
CWE-371
CWE-371
CWE-400
Uncontrolled Resource Consumption
CWE-401
Missing Release of Memory after Effective Lifetime
CWE-404
Improper Resource Shutdown or Release
CWE-416
Use After Free
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-476
NULL Pointer Dereference
CWE-532
Insertion of Sensitive Information into Log File
CWE-667
Improper Locking
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-770
Allocation of Resources Without Limits or Throttling
CWE-772
Missing Release of Resource after Effective Lifetime
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-787
Out-of-bounds Write
CWE-833
Deadlock
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-863
Incorrect Authorization
CWE-918
Server-Side Request Forgery (SSRF)
CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Microsoft heeft kwetsbaarheden verholpen in Mariner (Azure Linux).",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden betreffen oudere kwetsbaarheden in diverse subcomponenten van de distro, zoals Python, Emacs, Qemu, Django, Curl, wget etc. welke in de nieuwe versie zijn verholpen.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Misinterpretation of Input",
"title": "CWE-115"
},
{
"category": "general",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
},
{
"category": "general",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
},
{
"category": "general",
"text": "Heap-based Buffer Overflow",
"title": "CWE-122"
},
{
"category": "general",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "Improper Validation of Array Index",
"title": "CWE-129"
},
{
"category": "general",
"text": "Partial String Comparison",
"title": "CWE-187"
},
{
"category": "general",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
},
{
"category": "general",
"text": "Integer Underflow (Wrap or Wraparound)",
"title": "CWE-191"
},
{
"category": "general",
"text": "Off-by-one Error",
"title": "CWE-193"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Privilege Management",
"title": "CWE-269"
},
{
"category": "general",
"text": "Improper Check for Dropped Privileges",
"title": "CWE-273"
},
{
"category": "general",
"text": "Improper Handling of Insufficient Permissions or Privileges ",
"title": "CWE-280"
},
{
"category": "general",
"text": "Improper Certificate Validation",
"title": "CWE-295"
},
{
"category": "general",
"text": "Improper Validation of Certificate with Host Mismatch",
"title": "CWE-297"
},
{
"category": "general",
"text": "Improper Check for Certificate Revocation",
"title": "CWE-299"
},
{
"category": "general",
"text": "Cleartext Transmission of Sensitive Information",
"title": "CWE-319"
},
{
"category": "general",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "general",
"text": "Divide By Zero",
"title": "CWE-369"
},
{
"category": "general",
"text": "CWE-371",
"title": "CWE-371"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Use After Free",
"title": "CWE-416"
},
{
"category": "general",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "general",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
},
{
"category": "general",
"text": "Insertion of Sensitive Information into Log File",
"title": "CWE-532"
},
{
"category": "general",
"text": "Improper Locking",
"title": "CWE-667"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"title": "CWE-74"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "general",
"text": "Deadlock",
"title": "CWE-833"
},
{
"category": "general",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "general",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"title": "CWE-95"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"title": "Kwetsbaarheden verholpen in Microsoft Mariner",
"tracking": {
"current_release_date": "2024-08-13T18:23:22.271316Z",
"id": "NCSC-2024-0339",
"initial_release_date": "2024-08-13T18:23:22.271316Z",
"revision_history": [
{
"date": "2024-08-13T18:23:22.271316Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "cbl-mariner",
"product": {
"name": "cbl-mariner",
"product_id": "CSAFPID-1489521",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:cbl-mariner:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "microsoft"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-2601",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "other",
"text": "Heap-based Buffer Overflow",
"title": "CWE-122"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-2601",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-2601.json"
}
],
"title": "CVE-2022-2601"
},
{
"cve": "CVE-2022-3775",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-3775",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-3775.json"
}
],
"title": "CVE-2022-3775"
},
{
"cve": "CVE-2022-36648",
"references": [
{
"category": "self",
"summary": "CVE-2022-36648",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-36648.json"
}
],
"title": "CVE-2022-36648"
},
{
"cve": "CVE-2019-3833",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2019-3833",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-3833.json"
}
],
"title": "CVE-2019-3833"
},
{
"cve": "CVE-2021-3929",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-3929",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-3929.json"
}
],
"title": "CVE-2021-3929"
},
{
"cve": "CVE-2021-4158",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-4158",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-4158.json"
}
],
"title": "CVE-2021-4158"
},
{
"cve": "CVE-2021-4206",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
},
{
"category": "other",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-4206",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-4206.json"
}
],
"title": "CVE-2021-4206"
},
{
"cve": "CVE-2021-4207",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
},
{
"category": "other",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-4207",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-4207.json"
}
],
"title": "CVE-2021-4207"
},
{
"cve": "CVE-2022-26353",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-26353",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-26353.json"
}
],
"title": "CVE-2022-26353"
},
{
"cve": "CVE-2022-35414",
"references": [
{
"category": "self",
"summary": "CVE-2022-35414",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-35414.json"
}
],
"title": "CVE-2022-35414"
},
{
"cve": "CVE-2023-3354",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-3354",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-3354.json"
}
],
"title": "CVE-2023-3354"
},
{
"cve": "CVE-2022-3872",
"cwe": {
"id": "CWE-193",
"name": "Off-by-one Error"
},
"notes": [
{
"category": "other",
"text": "Off-by-one Error",
"title": "CWE-193"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-3872",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-3872.json"
}
],
"title": "CVE-2022-3872"
},
{
"cve": "CVE-2022-4144",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-4144",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-4144.json"
}
],
"title": "CVE-2022-4144"
},
{
"cve": "CVE-2023-45288",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-45288",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-45288.json"
}
],
"title": "CVE-2023-45288"
},
{
"cve": "CVE-2023-29404",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-29404",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-29404.json"
}
],
"title": "CVE-2023-29404"
},
{
"cve": "CVE-2023-29402",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-29402",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-29402.json"
}
],
"title": "CVE-2023-29402"
},
{
"cve": "CVE-2019-3816",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2019-3816",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-3816.json"
}
],
"title": "CVE-2019-3816"
},
{
"cve": "CVE-2021-3750",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-3750",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-3750.json"
}
],
"title": "CVE-2021-3750"
},
{
"cve": "CVE-2022-0358",
"cwe": {
"id": "CWE-273",
"name": "Improper Check for Dropped Privileges"
},
"notes": [
{
"category": "other",
"text": "Improper Check for Dropped Privileges",
"title": "CWE-273"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-0358",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-0358.json"
}
],
"title": "CVE-2022-0358"
},
{
"cve": "CVE-2022-26354",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-26354",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-26354.json"
}
],
"title": "CVE-2022-26354"
},
{
"cve": "CVE-2022-3165",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Integer Underflow (Wrap or Wraparound)",
"title": "CWE-191"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-3165",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-3165.json"
}
],
"title": "CVE-2022-3165"
},
{
"cve": "CVE-2022-2962",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-2962",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-2962.json"
}
],
"title": "CVE-2022-2962"
},
{
"cve": "CVE-2022-41722",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-41722",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-41722.json"
}
],
"title": "CVE-2022-41722"
},
{
"cve": "CVE-2022-29526",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges "
},
"notes": [
{
"category": "other",
"text": "Improper Handling of Insufficient Permissions or Privileges ",
"title": "CWE-280"
},
{
"category": "other",
"text": "Improper Privilege Management",
"title": "CWE-269"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-29526",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-29526.json"
}
],
"title": "CVE-2022-29526"
},
{
"cve": "CVE-2007-4559",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2007-4559",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2007/CVE-2007-4559.json"
}
],
"title": "CVE-2007-4559"
},
{
"cve": "CVE-2019-9674",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2019-9674",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-9674.json"
}
],
"title": "CVE-2019-9674"
},
{
"cve": "CVE-2017-18207",
"references": [
{
"category": "self",
"summary": "CVE-2017-18207",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2017/CVE-2017-18207.json"
}
],
"title": "CVE-2017-18207"
},
{
"cve": "CVE-2019-20907",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2019-20907",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-20907.json"
}
],
"title": "CVE-2019-20907"
},
{
"cve": "CVE-2021-23336",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "other",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-23336",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-23336.json"
}
],
"title": "CVE-2021-23336"
},
{
"cve": "CVE-2017-17522",
"references": [
{
"category": "self",
"summary": "CVE-2017-17522",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2017/CVE-2017-17522.json"
}
],
"title": "CVE-2017-17522"
},
{
"cve": "CVE-2024-6655",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"title": "CWE-74"
},
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-6655",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-6655.json"
}
],
"title": "CVE-2024-6655"
},
{
"cve": "CVE-2024-2466",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Certificate Validation",
"title": "CWE-295"
},
{
"category": "other",
"text": "Improper Validation of Certificate with Host Mismatch",
"title": "CWE-297"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-2466",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2466.json"
}
],
"title": "CVE-2024-2466"
},
{
"cve": "CVE-2024-39331",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "other",
"text": "Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"title": "CWE-95"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39331",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39331.json"
}
],
"title": "CVE-2024-39331"
},
{
"cve": "CVE-2021-43565",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-43565",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-43565.json"
}
],
"title": "CVE-2021-43565"
},
{
"cve": "CVE-2024-39277",
"cwe": {
"id": "CWE-129",
"name": "Improper Validation of Array Index"
},
"notes": [
{
"category": "other",
"text": "Improper Validation of Array Index",
"title": "CWE-129"
},
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39277",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39277.json"
}
],
"title": "CVE-2024-39277"
},
{
"cve": "CVE-2024-38780",
"cwe": {
"id": "CWE-371",
"name": "-"
},
"notes": [
{
"category": "other",
"text": "CWE-371",
"title": "CWE-371"
},
{
"category": "other",
"text": "Improper Locking",
"title": "CWE-667"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38780",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38780.json"
}
],
"title": "CVE-2024-38780"
},
{
"cve": "CVE-2024-39292",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39292",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39292.json"
}
],
"title": "CVE-2024-39292"
},
{
"cve": "CVE-2024-39482",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39482",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39482.json"
}
],
"title": "CVE-2024-39482"
},
{
"cve": "CVE-2024-39484",
"references": [
{
"category": "self",
"summary": "CVE-2024-39484",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39484.json"
}
],
"title": "CVE-2024-39484"
},
{
"cve": "CVE-2024-39495",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39495",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39495.json"
}
],
"title": "CVE-2024-39495"
},
{
"cve": "CVE-2024-40902",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-40902",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-40902.json"
}
],
"title": "CVE-2024-40902"
},
{
"cve": "CVE-2024-41110",
"cwe": {
"id": "CWE-187",
"name": "Partial String Comparison"
},
"notes": [
{
"category": "other",
"text": "Partial String Comparison",
"title": "CWE-187"
},
{
"category": "other",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-41110",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-41110.json"
}
],
"title": "CVE-2024-41110"
},
{
"cve": "CVE-2024-37298",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-37298",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37298.json"
}
],
"title": "CVE-2024-37298"
},
{
"cve": "CVE-2024-0397",
"references": [
{
"category": "self",
"summary": "CVE-2024-0397",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-0397.json"
}
],
"title": "CVE-2024-0397"
},
{
"cve": "CVE-2024-38571",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38571",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38571.json"
}
],
"title": "CVE-2024-38571"
},
{
"cve": "CVE-2024-42077",
"references": [
{
"category": "self",
"summary": "CVE-2024-42077",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42077.json"
}
],
"title": "CVE-2024-42077"
},
{
"cve": "CVE-2024-39473",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39473",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39473.json"
}
],
"title": "CVE-2024-39473"
},
{
"cve": "CVE-2024-26900",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-26900",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-26900.json"
}
],
"title": "CVE-2024-26900"
},
{
"cve": "CVE-2024-39474",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39474",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39474.json"
}
],
"title": "CVE-2024-39474"
},
{
"cve": "CVE-2024-42073",
"references": [
{
"category": "self",
"summary": "CVE-2024-42073",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42073.json"
}
],
"title": "CVE-2024-42073"
},
{
"cve": "CVE-2024-42074",
"references": [
{
"category": "self",
"summary": "CVE-2024-42074",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42074.json"
}
],
"title": "CVE-2024-42074"
},
{
"cve": "CVE-2024-42075",
"references": [
{
"category": "self",
"summary": "CVE-2024-42075",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42075.json"
}
],
"title": "CVE-2024-42075"
},
{
"cve": "CVE-2024-42078",
"references": [
{
"category": "self",
"summary": "CVE-2024-42078",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42078.json"
}
],
"title": "CVE-2024-42078"
},
{
"cve": "CVE-2024-0853",
"cwe": {
"id": "CWE-299",
"name": "Improper Check for Certificate Revocation"
},
"notes": [
{
"category": "other",
"text": "Improper Check for Certificate Revocation",
"title": "CWE-299"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-0853",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-0853.json"
}
],
"title": "CVE-2024-0853"
},
{
"cve": "CVE-2024-2004",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "other",
"text": "Cleartext Transmission of Sensitive Information",
"title": "CWE-319"
},
{
"category": "other",
"text": "Misinterpretation of Input",
"title": "CWE-115"
},
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-2004",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2004.json"
}
],
"title": "CVE-2024-2004"
},
{
"cve": "CVE-2024-2398",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
},
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-2398",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2398.json"
}
],
"title": "CVE-2024-2398"
},
{
"cve": "CVE-2024-38662",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38662",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38662.json"
}
],
"title": "CVE-2024-38662"
},
{
"cve": "CVE-2024-36288",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
},
{
"category": "other",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-36288",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-36288.json"
}
],
"title": "CVE-2024-36288"
},
{
"cve": "CVE-2024-39480",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39480",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39480.json"
}
],
"title": "CVE-2024-39480"
},
{
"cve": "CVE-2024-39476",
"cwe": {
"id": "CWE-833",
"name": "Deadlock"
},
"notes": [
{
"category": "other",
"text": "Deadlock",
"title": "CWE-833"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39476",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39476.json"
}
],
"title": "CVE-2024-39476"
},
{
"cve": "CVE-2024-39475",
"cwe": {
"id": "CWE-369",
"name": "Divide By Zero"
},
"notes": [
{
"category": "other",
"text": "Divide By Zero",
"title": "CWE-369"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39475",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39475.json"
}
],
"title": "CVE-2024-39475"
},
{
"cve": "CVE-2024-37371",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"notes": [
{
"category": "other",
"text": "Improper Handling of Length Parameter Inconsistency",
"title": "CWE-130"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-37371",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37371.json"
}
],
"title": "CVE-2024-37371"
},
{
"cve": "CVE-2024-26461",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-26461",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-26461.json"
}
],
"title": "CVE-2024-26461"
},
{
"cve": "CVE-2024-37370",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"notes": [
{
"category": "other",
"text": "Improper Handling of Length Parameter Inconsistency",
"title": "CWE-130"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-37370",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37370.json"
}
],
"title": "CVE-2024-37370"
},
{
"cve": "CVE-2024-6104",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"notes": [
{
"category": "other",
"text": "Insertion of Sensitive Information into Log File",
"title": "CWE-532"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-6104",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-6104.json"
}
],
"title": "CVE-2024-6104"
},
{
"cve": "CVE-2024-6257",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-6257",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-6257.json"
}
],
"title": "CVE-2024-6257"
},
{
"cve": "CVE-2024-23722",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-23722",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-23722.json"
}
],
"title": "CVE-2024-23722"
},
{
"cve": "CVE-2024-40898",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-40898",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-40898.json"
}
],
"title": "CVE-2024-40898"
},
{
"cve": "CVE-2024-38583",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38583",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38583.json"
}
],
"title": "CVE-2024-38583"
},
{
"cve": "CVE-2024-39493",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39493",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39493.json"
}
],
"title": "CVE-2024-39493"
},
{
"cve": "CVE-2024-42068",
"references": [
{
"category": "self",
"summary": "CVE-2024-42068",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42068.json"
}
],
"title": "CVE-2024-42068"
},
{
"cve": "CVE-2024-39489",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39489",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39489.json"
}
],
"title": "CVE-2024-39489"
},
{
"cve": "CVE-2024-42070",
"references": [
{
"category": "self",
"summary": "CVE-2024-42070",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42070.json"
}
],
"title": "CVE-2024-42070"
},
{
"cve": "CVE-2024-42076",
"references": [
{
"category": "self",
"summary": "CVE-2024-42076",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42076.json"
}
],
"title": "CVE-2024-42076"
},
{
"cve": "CVE-2024-42080",
"references": [
{
"category": "self",
"summary": "CVE-2024-42080",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42080.json"
}
],
"title": "CVE-2024-42080"
},
{
"cve": "CVE-2024-38428",
"cwe": {
"id": "CWE-115",
"name": "Misinterpretation of Input"
},
"notes": [
{
"category": "other",
"text": "Misinterpretation of Input",
"title": "CWE-115"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38428",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38428.json"
}
],
"title": "CVE-2024-38428"
},
{
"cve": "CVE-2024-42082",
"references": [
{
"category": "self",
"summary": "CVE-2024-42082",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42082.json"
}
],
"title": "CVE-2024-42082"
},
{
"cve": "CVE-2022-48788",
"references": [
{
"category": "self",
"summary": "CVE-2022-48788",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-48788.json"
}
],
"title": "CVE-2022-48788"
},
{
"cve": "CVE-2023-52340",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-52340",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-52340.json"
}
],
"title": "CVE-2023-52340"
},
{
"cve": "CVE-2022-48841",
"references": [
{
"category": "self",
"summary": "CVE-2022-48841",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-48841.json"
}
],
"title": "CVE-2022-48841"
},
{
"cve": "CVE-2024-39485",
"references": [
{
"category": "self",
"summary": "CVE-2024-39485",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39485.json"
}
],
"title": "CVE-2024-39485"
},
{
"cve": "CVE-2024-39483",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"title": "CWE-74"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39483",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39483.json"
}
],
"title": "CVE-2024-39483"
},
{
"cve": "CVE-2024-42071",
"references": [
{
"category": "self",
"summary": "CVE-2024-42071",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42071.json"
}
],
"title": "CVE-2024-42071"
},
{
"cve": "CVE-2024-42072",
"references": [
{
"category": "self",
"summary": "CVE-2024-42072",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42072.json"
}
],
"title": "CVE-2024-42072"
},
{
"cve": "CVE-2024-42237",
"references": [
{
"category": "self",
"summary": "CVE-2024-42237",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42237.json"
}
],
"title": "CVE-2024-42237"
},
{
"cve": "CVE-2024-42083",
"references": [
{
"category": "self",
"summary": "CVE-2024-42083",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42083.json"
}
],
"title": "CVE-2024-42083"
}
]
}
ncsc-2024-0339
Vulnerability from csaf_ncscnl
Published
2024-08-13 18:23
Modified
2024-08-13 18:23
Summary
Kwetsbaarheden verholpen in Microsoft Mariner
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Microsoft heeft kwetsbaarheden verholpen in Mariner (Azure Linux).
Interpretaties
De kwetsbaarheden betreffen oudere kwetsbaarheden in diverse subcomponenten van de distro, zoals Python, Emacs, Qemu, Django, Curl, wget etc. welke in de nieuwe versie zijn verholpen.
Oplossingen
Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:
https://portal.msrc.microsoft.com/en-us/security-guidance
Kans
medium
Schade
high
CWE-115
Misinterpretation of Input
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-122
Heap-based Buffer Overflow
CWE-125
Out-of-bounds Read
CWE-129
Improper Validation of Array Index
CWE-187
Partial String Comparison
CWE-190
Integer Overflow or Wraparound
CWE-191
Integer Underflow (Wrap or Wraparound)
CWE-193
Off-by-one Error
CWE-20
Improper Input Validation
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-269
Improper Privilege Management
CWE-273
Improper Check for Dropped Privileges
CWE-280
Improper Handling of Insufficient Permissions or Privileges
CWE-295
Improper Certificate Validation
CWE-297
Improper Validation of Certificate with Host Mismatch
CWE-299
Improper Check for Certificate Revocation
CWE-319
Cleartext Transmission of Sensitive Information
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-369
Divide By Zero
CWE-371
CWE-371
CWE-400
Uncontrolled Resource Consumption
CWE-401
Missing Release of Memory after Effective Lifetime
CWE-404
Improper Resource Shutdown or Release
CWE-416
Use After Free
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-476
NULL Pointer Dereference
CWE-532
Insertion of Sensitive Information into Log File
CWE-667
Improper Locking
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-770
Allocation of Resources Without Limits or Throttling
CWE-772
Missing Release of Resource after Effective Lifetime
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-787
Out-of-bounds Write
CWE-833
Deadlock
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-863
Incorrect Authorization
CWE-918
Server-Side Request Forgery (SSRF)
CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Microsoft heeft kwetsbaarheden verholpen in Mariner (Azure Linux).",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden betreffen oudere kwetsbaarheden in diverse subcomponenten van de distro, zoals Python, Emacs, Qemu, Django, Curl, wget etc. welke in de nieuwe versie zijn verholpen.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Misinterpretation of Input",
"title": "CWE-115"
},
{
"category": "general",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
},
{
"category": "general",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
},
{
"category": "general",
"text": "Heap-based Buffer Overflow",
"title": "CWE-122"
},
{
"category": "general",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "Improper Validation of Array Index",
"title": "CWE-129"
},
{
"category": "general",
"text": "Partial String Comparison",
"title": "CWE-187"
},
{
"category": "general",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
},
{
"category": "general",
"text": "Integer Underflow (Wrap or Wraparound)",
"title": "CWE-191"
},
{
"category": "general",
"text": "Off-by-one Error",
"title": "CWE-193"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Privilege Management",
"title": "CWE-269"
},
{
"category": "general",
"text": "Improper Check for Dropped Privileges",
"title": "CWE-273"
},
{
"category": "general",
"text": "Improper Handling of Insufficient Permissions or Privileges ",
"title": "CWE-280"
},
{
"category": "general",
"text": "Improper Certificate Validation",
"title": "CWE-295"
},
{
"category": "general",
"text": "Improper Validation of Certificate with Host Mismatch",
"title": "CWE-297"
},
{
"category": "general",
"text": "Improper Check for Certificate Revocation",
"title": "CWE-299"
},
{
"category": "general",
"text": "Cleartext Transmission of Sensitive Information",
"title": "CWE-319"
},
{
"category": "general",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "general",
"text": "Divide By Zero",
"title": "CWE-369"
},
{
"category": "general",
"text": "CWE-371",
"title": "CWE-371"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Use After Free",
"title": "CWE-416"
},
{
"category": "general",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "general",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
},
{
"category": "general",
"text": "Insertion of Sensitive Information into Log File",
"title": "CWE-532"
},
{
"category": "general",
"text": "Improper Locking",
"title": "CWE-667"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"title": "CWE-74"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "general",
"text": "Deadlock",
"title": "CWE-833"
},
{
"category": "general",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "general",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"title": "CWE-95"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"title": "Kwetsbaarheden verholpen in Microsoft Mariner",
"tracking": {
"current_release_date": "2024-08-13T18:23:22.271316Z",
"id": "NCSC-2024-0339",
"initial_release_date": "2024-08-13T18:23:22.271316Z",
"revision_history": [
{
"date": "2024-08-13T18:23:22.271316Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "cbl-mariner",
"product": {
"name": "cbl-mariner",
"product_id": "CSAFPID-1489521",
"product_identification_helper": {
"cpe": "cpe:2.3:a:microsoft:cbl-mariner:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "microsoft"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-2601",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "other",
"text": "Heap-based Buffer Overflow",
"title": "CWE-122"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-2601",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-2601.json"
}
],
"title": "CVE-2022-2601"
},
{
"cve": "CVE-2022-3775",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-3775",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-3775.json"
}
],
"title": "CVE-2022-3775"
},
{
"cve": "CVE-2022-36648",
"references": [
{
"category": "self",
"summary": "CVE-2022-36648",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-36648.json"
}
],
"title": "CVE-2022-36648"
},
{
"cve": "CVE-2019-3833",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2019-3833",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-3833.json"
}
],
"title": "CVE-2019-3833"
},
{
"cve": "CVE-2021-3929",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-3929",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-3929.json"
}
],
"title": "CVE-2021-3929"
},
{
"cve": "CVE-2021-4158",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-4158",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-4158.json"
}
],
"title": "CVE-2021-4158"
},
{
"cve": "CVE-2021-4206",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
},
{
"category": "other",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-4206",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-4206.json"
}
],
"title": "CVE-2021-4206"
},
{
"cve": "CVE-2021-4207",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
},
{
"category": "other",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-4207",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-4207.json"
}
],
"title": "CVE-2021-4207"
},
{
"cve": "CVE-2022-26353",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-26353",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-26353.json"
}
],
"title": "CVE-2022-26353"
},
{
"cve": "CVE-2022-35414",
"references": [
{
"category": "self",
"summary": "CVE-2022-35414",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-35414.json"
}
],
"title": "CVE-2022-35414"
},
{
"cve": "CVE-2023-3354",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-3354",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-3354.json"
}
],
"title": "CVE-2023-3354"
},
{
"cve": "CVE-2022-3872",
"cwe": {
"id": "CWE-193",
"name": "Off-by-one Error"
},
"notes": [
{
"category": "other",
"text": "Off-by-one Error",
"title": "CWE-193"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-3872",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-3872.json"
}
],
"title": "CVE-2022-3872"
},
{
"cve": "CVE-2022-4144",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-4144",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-4144.json"
}
],
"title": "CVE-2022-4144"
},
{
"cve": "CVE-2023-45288",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-45288",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-45288.json"
}
],
"title": "CVE-2023-45288"
},
{
"cve": "CVE-2023-29404",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-29404",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-29404.json"
}
],
"title": "CVE-2023-29404"
},
{
"cve": "CVE-2023-29402",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-29402",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-29402.json"
}
],
"title": "CVE-2023-29402"
},
{
"cve": "CVE-2019-3816",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2019-3816",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-3816.json"
}
],
"title": "CVE-2019-3816"
},
{
"cve": "CVE-2021-3750",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-3750",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-3750.json"
}
],
"title": "CVE-2021-3750"
},
{
"cve": "CVE-2022-0358",
"cwe": {
"id": "CWE-273",
"name": "Improper Check for Dropped Privileges"
},
"notes": [
{
"category": "other",
"text": "Improper Check for Dropped Privileges",
"title": "CWE-273"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-0358",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-0358.json"
}
],
"title": "CVE-2022-0358"
},
{
"cve": "CVE-2022-26354",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-26354",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-26354.json"
}
],
"title": "CVE-2022-26354"
},
{
"cve": "CVE-2022-3165",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Integer Underflow (Wrap or Wraparound)",
"title": "CWE-191"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-3165",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-3165.json"
}
],
"title": "CVE-2022-3165"
},
{
"cve": "CVE-2022-2962",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-2962",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-2962.json"
}
],
"title": "CVE-2022-2962"
},
{
"cve": "CVE-2022-41722",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-41722",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-41722.json"
}
],
"title": "CVE-2022-41722"
},
{
"cve": "CVE-2022-29526",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges "
},
"notes": [
{
"category": "other",
"text": "Improper Handling of Insufficient Permissions or Privileges ",
"title": "CWE-280"
},
{
"category": "other",
"text": "Improper Privilege Management",
"title": "CWE-269"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2022-29526",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-29526.json"
}
],
"title": "CVE-2022-29526"
},
{
"cve": "CVE-2007-4559",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2007-4559",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2007/CVE-2007-4559.json"
}
],
"title": "CVE-2007-4559"
},
{
"cve": "CVE-2019-9674",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2019-9674",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-9674.json"
}
],
"title": "CVE-2019-9674"
},
{
"cve": "CVE-2017-18207",
"references": [
{
"category": "self",
"summary": "CVE-2017-18207",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2017/CVE-2017-18207.json"
}
],
"title": "CVE-2017-18207"
},
{
"cve": "CVE-2019-20907",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2019-20907",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-20907.json"
}
],
"title": "CVE-2019-20907"
},
{
"cve": "CVE-2021-23336",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "other",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-23336",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-23336.json"
}
],
"title": "CVE-2021-23336"
},
{
"cve": "CVE-2017-17522",
"references": [
{
"category": "self",
"summary": "CVE-2017-17522",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2017/CVE-2017-17522.json"
}
],
"title": "CVE-2017-17522"
},
{
"cve": "CVE-2024-6655",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"title": "CWE-74"
},
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-6655",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-6655.json"
}
],
"title": "CVE-2024-6655"
},
{
"cve": "CVE-2024-2466",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Certificate Validation",
"title": "CWE-295"
},
{
"category": "other",
"text": "Improper Validation of Certificate with Host Mismatch",
"title": "CWE-297"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-2466",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2466.json"
}
],
"title": "CVE-2024-2466"
},
{
"cve": "CVE-2024-39331",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "other",
"text": "Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"title": "CWE-95"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39331",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39331.json"
}
],
"title": "CVE-2024-39331"
},
{
"cve": "CVE-2021-43565",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2021-43565",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-43565.json"
}
],
"title": "CVE-2021-43565"
},
{
"cve": "CVE-2024-39277",
"cwe": {
"id": "CWE-129",
"name": "Improper Validation of Array Index"
},
"notes": [
{
"category": "other",
"text": "Improper Validation of Array Index",
"title": "CWE-129"
},
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39277",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39277.json"
}
],
"title": "CVE-2024-39277"
},
{
"cve": "CVE-2024-38780",
"cwe": {
"id": "CWE-371",
"name": "-"
},
"notes": [
{
"category": "other",
"text": "CWE-371",
"title": "CWE-371"
},
{
"category": "other",
"text": "Improper Locking",
"title": "CWE-667"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38780",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38780.json"
}
],
"title": "CVE-2024-38780"
},
{
"cve": "CVE-2024-39292",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39292",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39292.json"
}
],
"title": "CVE-2024-39292"
},
{
"cve": "CVE-2024-39482",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39482",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39482.json"
}
],
"title": "CVE-2024-39482"
},
{
"cve": "CVE-2024-39484",
"references": [
{
"category": "self",
"summary": "CVE-2024-39484",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39484.json"
}
],
"title": "CVE-2024-39484"
},
{
"cve": "CVE-2024-39495",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39495",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39495.json"
}
],
"title": "CVE-2024-39495"
},
{
"cve": "CVE-2024-40902",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-40902",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-40902.json"
}
],
"title": "CVE-2024-40902"
},
{
"cve": "CVE-2024-41110",
"cwe": {
"id": "CWE-187",
"name": "Partial String Comparison"
},
"notes": [
{
"category": "other",
"text": "Partial String Comparison",
"title": "CWE-187"
},
{
"category": "other",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-41110",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-41110.json"
}
],
"title": "CVE-2024-41110"
},
{
"cve": "CVE-2024-37298",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-37298",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37298.json"
}
],
"title": "CVE-2024-37298"
},
{
"cve": "CVE-2024-0397",
"references": [
{
"category": "self",
"summary": "CVE-2024-0397",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-0397.json"
}
],
"title": "CVE-2024-0397"
},
{
"cve": "CVE-2024-38571",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38571",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38571.json"
}
],
"title": "CVE-2024-38571"
},
{
"cve": "CVE-2024-42077",
"references": [
{
"category": "self",
"summary": "CVE-2024-42077",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42077.json"
}
],
"title": "CVE-2024-42077"
},
{
"cve": "CVE-2024-39473",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39473",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39473.json"
}
],
"title": "CVE-2024-39473"
},
{
"cve": "CVE-2024-26900",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-26900",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-26900.json"
}
],
"title": "CVE-2024-26900"
},
{
"cve": "CVE-2024-39474",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39474",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39474.json"
}
],
"title": "CVE-2024-39474"
},
{
"cve": "CVE-2024-42073",
"references": [
{
"category": "self",
"summary": "CVE-2024-42073",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42073.json"
}
],
"title": "CVE-2024-42073"
},
{
"cve": "CVE-2024-42074",
"references": [
{
"category": "self",
"summary": "CVE-2024-42074",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42074.json"
}
],
"title": "CVE-2024-42074"
},
{
"cve": "CVE-2024-42075",
"references": [
{
"category": "self",
"summary": "CVE-2024-42075",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42075.json"
}
],
"title": "CVE-2024-42075"
},
{
"cve": "CVE-2024-42078",
"references": [
{
"category": "self",
"summary": "CVE-2024-42078",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42078.json"
}
],
"title": "CVE-2024-42078"
},
{
"cve": "CVE-2024-0853",
"cwe": {
"id": "CWE-299",
"name": "Improper Check for Certificate Revocation"
},
"notes": [
{
"category": "other",
"text": "Improper Check for Certificate Revocation",
"title": "CWE-299"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-0853",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-0853.json"
}
],
"title": "CVE-2024-0853"
},
{
"cve": "CVE-2024-2004",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "other",
"text": "Cleartext Transmission of Sensitive Information",
"title": "CWE-319"
},
{
"category": "other",
"text": "Misinterpretation of Input",
"title": "CWE-115"
},
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-2004",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2004.json"
}
],
"title": "CVE-2024-2004"
},
{
"cve": "CVE-2024-2398",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
},
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-2398",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2398.json"
}
],
"title": "CVE-2024-2398"
},
{
"cve": "CVE-2024-38662",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38662",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38662.json"
}
],
"title": "CVE-2024-38662"
},
{
"cve": "CVE-2024-36288",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
},
{
"category": "other",
"text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"title": "CWE-119"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-36288",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-36288.json"
}
],
"title": "CVE-2024-36288"
},
{
"cve": "CVE-2024-39480",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39480",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39480.json"
}
],
"title": "CVE-2024-39480"
},
{
"cve": "CVE-2024-39476",
"cwe": {
"id": "CWE-833",
"name": "Deadlock"
},
"notes": [
{
"category": "other",
"text": "Deadlock",
"title": "CWE-833"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39476",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39476.json"
}
],
"title": "CVE-2024-39476"
},
{
"cve": "CVE-2024-39475",
"cwe": {
"id": "CWE-369",
"name": "Divide By Zero"
},
"notes": [
{
"category": "other",
"text": "Divide By Zero",
"title": "CWE-369"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39475",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39475.json"
}
],
"title": "CVE-2024-39475"
},
{
"cve": "CVE-2024-37371",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"notes": [
{
"category": "other",
"text": "Improper Handling of Length Parameter Inconsistency",
"title": "CWE-130"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-37371",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37371.json"
}
],
"title": "CVE-2024-37371"
},
{
"cve": "CVE-2024-26461",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-26461",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-26461.json"
}
],
"title": "CVE-2024-26461"
},
{
"cve": "CVE-2024-37370",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"notes": [
{
"category": "other",
"text": "Improper Handling of Length Parameter Inconsistency",
"title": "CWE-130"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-37370",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37370.json"
}
],
"title": "CVE-2024-37370"
},
{
"cve": "CVE-2024-6104",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"notes": [
{
"category": "other",
"text": "Insertion of Sensitive Information into Log File",
"title": "CWE-532"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-6104",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-6104.json"
}
],
"title": "CVE-2024-6104"
},
{
"cve": "CVE-2024-6257",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-6257",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-6257.json"
}
],
"title": "CVE-2024-6257"
},
{
"cve": "CVE-2024-23722",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-23722",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-23722.json"
}
],
"title": "CVE-2024-23722"
},
{
"cve": "CVE-2024-40898",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-40898",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-40898.json"
}
],
"title": "CVE-2024-40898"
},
{
"cve": "CVE-2024-38583",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38583",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38583.json"
}
],
"title": "CVE-2024-38583"
},
{
"cve": "CVE-2024-39493",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39493",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39493.json"
}
],
"title": "CVE-2024-39493"
},
{
"cve": "CVE-2024-42068",
"references": [
{
"category": "self",
"summary": "CVE-2024-42068",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42068.json"
}
],
"title": "CVE-2024-42068"
},
{
"cve": "CVE-2024-39489",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Memory after Effective Lifetime",
"title": "CWE-401"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39489",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39489.json"
}
],
"title": "CVE-2024-39489"
},
{
"cve": "CVE-2024-42070",
"references": [
{
"category": "self",
"summary": "CVE-2024-42070",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42070.json"
}
],
"title": "CVE-2024-42070"
},
{
"cve": "CVE-2024-42076",
"references": [
{
"category": "self",
"summary": "CVE-2024-42076",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42076.json"
}
],
"title": "CVE-2024-42076"
},
{
"cve": "CVE-2024-42080",
"references": [
{
"category": "self",
"summary": "CVE-2024-42080",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42080.json"
}
],
"title": "CVE-2024-42080"
},
{
"cve": "CVE-2024-38428",
"cwe": {
"id": "CWE-115",
"name": "Misinterpretation of Input"
},
"notes": [
{
"category": "other",
"text": "Misinterpretation of Input",
"title": "CWE-115"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-38428",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38428.json"
}
],
"title": "CVE-2024-38428"
},
{
"cve": "CVE-2024-42082",
"references": [
{
"category": "self",
"summary": "CVE-2024-42082",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42082.json"
}
],
"title": "CVE-2024-42082"
},
{
"cve": "CVE-2022-48788",
"references": [
{
"category": "self",
"summary": "CVE-2022-48788",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-48788.json"
}
],
"title": "CVE-2022-48788"
},
{
"cve": "CVE-2023-52340",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2023-52340",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-52340.json"
}
],
"title": "CVE-2023-52340"
},
{
"cve": "CVE-2022-48841",
"references": [
{
"category": "self",
"summary": "CVE-2022-48841",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-48841.json"
}
],
"title": "CVE-2022-48841"
},
{
"cve": "CVE-2024-39485",
"references": [
{
"category": "self",
"summary": "CVE-2024-39485",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39485.json"
}
],
"title": "CVE-2024-39485"
},
{
"cve": "CVE-2024-39483",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"title": "CWE-74"
}
],
"references": [
{
"category": "self",
"summary": "CVE-2024-39483",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39483.json"
}
],
"title": "CVE-2024-39483"
},
{
"cve": "CVE-2024-42071",
"references": [
{
"category": "self",
"summary": "CVE-2024-42071",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42071.json"
}
],
"title": "CVE-2024-42071"
},
{
"cve": "CVE-2024-42072",
"references": [
{
"category": "self",
"summary": "CVE-2024-42072",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42072.json"
}
],
"title": "CVE-2024-42072"
},
{
"cve": "CVE-2024-42237",
"references": [
{
"category": "self",
"summary": "CVE-2024-42237",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42237.json"
}
],
"title": "CVE-2024-42237"
},
{
"cve": "CVE-2024-42083",
"references": [
{
"category": "self",
"summary": "CVE-2024-42083",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-42083.json"
}
],
"title": "CVE-2024-42083"
}
]
}
ncsc-2024-0318
Vulnerability from csaf_ncscnl
Published
2024-07-25 11:28
Modified
2024-07-25 11:28
Summary
Kwetsbaarheden verholpen in Docker Moby
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Er is een kwetsbaarheid verholpen in Docker Moby.
Interpretaties
De kwetsbaarheid stelt een kwaadwillende in staat om via een API request zijn rechten te verhogen door middel van het omzeilen van een beveiligingsmaatregel. Deze kwetsbaarheid is alleen te misbruiken als er gebruik wordt gemaakt van een AuthZ plugin om toegangsrechten te beheren.
Oplossingen
Het Docker team heeft een update uitgebracht om de kwetsbaarheid te verhelpen in Moby. Als updaten niet mogelijk is wordt door Docker geadviseerd om de plug-in uit te schakelen. Daarnaast is het goed gebruik om leastprivilege op een dergelijke API toe te passen.
Zie de referentie voor meer informatie.
Kans
medium
Schade
high
CWE-187
Partial String Comparison
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-863
Incorrect Authorization
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Er is een kwetsbaarheid verholpen in Docker Moby. ",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheid stelt een kwaadwillende in staat om via een API request zijn rechten te verhogen door middel van het omzeilen van een beveiligingsmaatregel. Deze kwetsbaarheid is alleen te misbruiken als er gebruik wordt gemaakt van een AuthZ plugin om toegangsrechten te beheren. \n\n\n",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Het Docker team heeft een update uitgebracht om de kwetsbaarheid te verhelpen in Moby. Als updaten niet mogelijk is wordt door Docker geadviseerd om de plug-in uit te schakelen. Daarnaast is het goed gebruik om leastprivilege op een dergelijke API toe te passen. \n\nZie de referentie voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Partial String Comparison",
"title": "CWE-187"
},
{
"category": "general",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41110"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41110"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/"
}
],
"title": "Kwetsbaarheden verholpen in Docker Moby ",
"tracking": {
"current_release_date": "2024-07-25T11:28:37.900721Z",
"id": "NCSC-2024-0318",
"initial_release_date": "2024-07-25T11:28:37.900721Z",
"revision_history": [
{
"date": "2024-07-25T11:28:37.900721Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510025",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___19.0.0_____19.03.15:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510026",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___20.0.0_____20.10.27:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510027",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___23.0.0_____23.0.14:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510028",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___24.0.0_____24.0.9:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510029",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___25.0.0_____25.0.5:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510030",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___26.0.0_____26.0.2:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510031",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___26.1.0_____26.1.14:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510032",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:___27.0.0_____27.0.3:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "moby",
"product": {
"name": "moby",
"product_id": "CSAFPID-1510033",
"product_identification_helper": {
"cpe": "cpe:2.3:a:moby:moby:__27.1.0:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "moby"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-41110",
"cwe": {
"id": "CWE-187",
"name": "Partial String Comparison"
},
"notes": [
{
"category": "other",
"text": "Partial String Comparison",
"title": "CWE-187"
},
{
"category": "other",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"title": "CWE-444"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1510025",
"CSAFPID-1510026",
"CSAFPID-1510027",
"CSAFPID-1510028",
"CSAFPID-1510029",
"CSAFPID-1510030",
"CSAFPID-1510031",
"CSAFPID-1510032",
"CSAFPID-1510033"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-41110",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-41110.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1510025",
"CSAFPID-1510026",
"CSAFPID-1510027",
"CSAFPID-1510028",
"CSAFPID-1510029",
"CSAFPID-1510030",
"CSAFPID-1510031",
"CSAFPID-1510032",
"CSAFPID-1510033"
]
}
],
"title": "CVE-2024-41110"
}
]
}
ghsa-v23v-6jw2-98fq
Vulnerability from github
Published
2024-07-30 10:18
Modified
2024-08-09 19:07
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.4 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
9.4 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
Authz zero length regression
Details
A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.
Impact
Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.
Vulnerability details
- AuthZ bypass and privilege escalation: An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly.
- Initial fix: The issue was fixed in Docker Engine v18.09.1 January 2019..
- Regression: The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned CVE-2024-41110.
Patches
- docker-ce v27.1.1 containes patches to fix the vulnerability.
- Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches.
Remediation steps
- If you are running an affected version, update to the most recent patched version.
- Mitigation if unable to update immediately:
- Avoid using AuthZ plugins.
- Restrict access to the Docker API to trusted parties, following the principle of least privilege.
References
- https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
- https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
- https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/docker"
},
"ranges": [
{
"events": [
{
"introduced": "19.03.0"
},
{
"fixed": "23.0.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/docker"
},
"ranges": [
{
"events": [
{
"introduced": "26.0.0"
},
{
"fixed": "26.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/docker"
},
"ranges": [
{
"events": [
{
"introduced": "27.0.0"
},
{
"fixed": "27.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/docker"
},
"ranges": [
{
"events": [
{
"introduced": "24.0.0"
},
{
"fixed": "25.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-41110"
],
"database_specific": {
"cwe_ids": [
"CWE-187"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-30T10:18:57Z",
"nvd_published_at": "2024-07-24T17:15:11Z",
"severity": "CRITICAL"
},
"details": "A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass [authorization plugins (AuthZ)](https://docs.docker.com/engine/extend/plugins_authorization/) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.\n\n### Impact\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an [authorization plugin](https://docs.docker.com/engine/extend/plugins_authorization/) without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine [v18.09.1](https://docs.docker.com/engine/release-notes/18.09/#security-fixes-1) in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime **are not vulnerable.**\n\n### Vulnerability details\n\n- **AuthZ bypass and privilege escalation:** An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly.\n- **Initial fix:** The issue was fixed in Docker Engine [v18.09.1](https://docs.docker.com/engine/release-notes/18.09/#security-fixes-1) January 2019..\n- **Regression:** The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned [CVE-2024-41110](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110).\n\n### Patches\n\n- docker-ce v27.1.1 containes patches to fix the vulnerability.\n- Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches.\n\n### Remediation steps\n\n- If you are running an affected version, update to the most recent patched version.\n- Mitigation if unable to update immediately:\n - Avoid using AuthZ plugins.\n - Restrict access to the Docker API to trusted parties, following the principle of least privilege.\n\n\n### References\n\n- https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb\n- https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1\n- https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/",
"id": "GHSA-v23v-6jw2-98fq",
"modified": "2024-08-09T19:07:47Z",
"published": "2024-07-30T10:18:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41110"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb"
},
{
"type": "PACKAGE",
"url": "https://github.com/moby/moby"
},
{
"type": "WEB",
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Authz zero length regression"
}
fkie_cve-2024-41110
Vulnerability from fkie_nvd
Published
2024-07-24 17:15
Modified
2024-11-21 09:32
Severity ?
Summary
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.
docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege."
},
{
"lang": "es",
"value": "Moby es un proyecto de c\u00f3digo abierto creado por Docker para la contenedorizaci\u00f3n de software. Se ha detectado una vulnerabilidad de seguridad en determinadas versiones de Docker Engine, que podr\u00eda permitir a un atacante omitir los complementos de autorizaci\u00f3n (AuthZ) en circunstancias espec\u00edficas. La probabilidad b\u00e1sica de que esto sea explotado es baja. Utilizando una solicitud de API especialmente manipulada, un cliente de Engine API podr\u00eda hacer que el daemon reenv\u00ede la solicitud o respuesta a un complemento de autorizaci\u00f3n sin el cuerpo. En determinadas circunstancias, el complemento de autorizaci\u00f3n puede permitir una solicitud que, de otro modo, habr\u00eda rechazado si se le hubiera enviado el organismo. En 2018 se descubri\u00f3 un problema de seguridad en el que un atacante pod\u00eda omitir los complementos de AuthZ mediante una solicitud API especialmente manipulada. Esto podr\u00eda dar lugar a acciones no autorizadas, incluida la escalada de privilegios. Aunque este problema se solucion\u00f3 en Docker Engine v18.09.1 en enero de 2019, la soluci\u00f3n no se traslad\u00f3 a versiones principales posteriores, lo que result\u00f3 en una regresi\u00f3n. Cualquiera que dependa de complementos de autorizaci\u00f3n que introspeccionen el cuerpo de solicitud y/o respuesta para tomar decisiones de control de acceso se ver\u00e1 potencialmente afectado. Docker EE v19.03.x y todas las versiones de Mirantis Container Runtime no son vulnerables. docker-ce v27.1.1 contiene parches para corregir la vulnerabilidad. Los parches tambi\u00e9n se han fusionado en las ramas de versi\u00f3n maestra, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0 y 26.1. Si uno no puede actualizar inmediatamente, evite usar complementos de AuthZ y/o restrinja el acceso a la API de Docker a partes confiables, siguiendo el principio de privilegio m\u00ednimo."
}
],
"id": "CVE-2024-41110",
"lastModified": "2024-11-21T09:32:15.160",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-07-24T17:15:11.053",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq"
},
{
"source": "security-advisories@github.com",
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240802-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-187"
},
{
"lang": "en",
"value": "CWE-444"
},
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
rhsa-2024:10852
Vulnerability from csaf_redhat
Published
2024-12-05 14:54
Modified
2025-02-17 19:01
Summary
Red Hat Security Advisory: RHOAI 2.16.0 - Red Hat OpenShift AI
Notes
Topic
Updated images are now available for Red Hat OpenShift AI.
Details
Release of RHOAI 2.16.0 provides these changes:
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat OpenShift AI.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of RHOAI 2.16.0 provides these changes:",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10852",
"url": "https://access.redhat.com/errata/RHSA-2024:10852"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"url": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10852.json"
}
],
"title": "Red Hat Security Advisory: RHOAI 2.16.0 - Red Hat OpenShift AI",
"tracking": {
"current_release_date": "2025-02-17T19:01:10+00:00",
"generator": {
"date": "2025-02-17T19:01:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.3.1"
}
},
"id": "RHSA-2024:10852",
"initial_release_date": "2024-12-05T14:54:56+00:00",
"revision_history": [
{
"date": "2024-12-05T14:54:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-02-13T17:54:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-02-17T19:01:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift AI 2.16",
"product": {
"name": "Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_ai:2.16::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift AI"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"product_id": "registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-codeflare-operator-rhel8@sha256%3A3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1733112229"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"product_id": "registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-dashboard-rhel8@sha256%3Ac2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1733133582"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"product_id": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-data-science-pipelines-argo-argoexec-rhel8@sha256%3A0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953924"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"product_id": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256%3Ac5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953924"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"product_id": "registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-data-science-pipelines-operator-controller-rhel8@sha256%3A4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953816"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"product_id": "registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-kf-notebook-controller-rhel8@sha256%3A3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953706"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"product_id": "registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-kuberay-operator-controller-rhel8@sha256%3Aefe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1733112196"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"product_id": "registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-kueue-controller-rhel8@sha256%3A1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1733126703"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"product_id": "registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-ml-pipelines-api-server-v2-rhel8@sha256%3A4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954036"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"product_id": "registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-ml-pipelines-driver-rhel8@sha256%3A348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954036"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"product_id": "registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-ml-pipelines-launcher-rhel8@sha256%3Af1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954036"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"product_id": "registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256%3Aab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954036"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"product_id": "registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256%3A59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954036"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"product_id": "registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-mlmd-grpc-server-rhel8@sha256%3Ad0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953940"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"product_id": "registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-mm-rest-proxy-rhel8@sha256%3Ac693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953738"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"product_id": "registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-model-controller-rhel8@sha256%3A56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953799"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"product_id": "registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-model-registry-operator-rhel8@sha256%3A1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954095"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"product_id": "registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-model-registry-rhel8@sha256%3A60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954132"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"product_id": "registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-modelmesh-runtime-adapter-rhel8@sha256%3A5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953768"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"product_id": "registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-modelmesh-serving-controller-rhel8@sha256%3A873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953753"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"product_id": "registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-modelmesh-rhel8@sha256%3A6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732899102"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"product_id": "registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-notebook-controller-rhel8@sha256%3Af96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732953706"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"product_id": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-operator-bundle@sha256%3A3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1733155920"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"product_id": "registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel8-operator@sha256%3A8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1733155448"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"product_id": "registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-training-operator-rhel8@sha256%3A68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954151"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"product_id": "registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-trustyai-service-operator-rhel8@sha256%3Aba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732954483"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64",
"product_id": "registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-trustyai-service-rhel8@sha256%3Afeebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.16.0-1732898906"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64 as a component of Red Hat OpenShift AI 2.16",
"product_id": "Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.16"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-3596",
"cwe": {
"id": "CWE-924",
"name": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel"
},
"discovery_date": "2024-02-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2263240"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in the RADIUS (Remote Authentication Dial-In User Service) protocol allows attackers to forge authentication responses when the Message-Authenticator attribute is not enforced. This issue arises from a cryptographically insecure integrity check using MD5, enabling attackers to spoof UDP-based RADIUS response packets. This can result in unauthorized access by modifying an Access-Reject response to an Access-Accept response, thereby compromising the authentication process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "freeradius: forgery attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is of Important severity due to its ability to undermine the fundamental security mechanisms of RADIUS-based authentication systems. By exploiting the weak MD5 integrity check, an attacker can forge RADIUS responses, effectively bypassing authentication controls and gaining unauthorized access to network resources. This poses a significant threat to environments relying on RADIUS for user and device authentication, particularly those lacking enforced Message-Authenticator attributes or TLS/DTLS encryption.\n\nThere are several preconditions for this attack to be possible:\n* An attacker needs man-in-the-middle network access between the RADIUS client and server\n* The client and server must be using RADIUS/UDP to communicate\n* The attacker needs to be able to trigger a RADIUS client Access-Request ( for example the client is using PAP authentication)\n\nDue to these attack surface limitations, the impact is rated Important.\nWithin Red Hat offerings, this impacts the FreeRADIUS package. This flaw allows a local, unauthenticated attacker to conduct a man-in-the-middle attack to log in as a third party without knowing their credentials. Servers using Extensible Authentication Protocol (EAP) with required Message-Authenticator attributes or those employing TLS/DTLS encryption are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-3596"
},
{
"category": "external",
"summary": "RHBZ#2263240",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263240"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-3596",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3596"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-3596",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3596"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/",
"url": "https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc2865",
"url": "https://datatracker.ietf.org/doc/html/rfc2865"
},
{
"category": "external",
"summary": "https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf",
"url": "https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf"
},
{
"category": "external",
"summary": "https://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt",
"url": "https://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt"
},
{
"category": "external",
"summary": "https://www.blastradius.fail/",
"url": "https://www.blastradius.fail/"
},
{
"category": "external",
"summary": "https://www.kb.cert.org/vuls/id/456537",
"url": "https://www.kb.cert.org/vuls/id/456537"
}
],
"release_date": "2024-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T14:54:56+00:00",
"details": "For Red Hat OpenShift AI 2.16.0 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10852"
},
{
"category": "workaround",
"details": "Disable the use of RADIUS/UDP and RADIUS/TCP.\nRADIUS/TLS or RADIUS/DTLS should be used.",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "freeradius: forgery attack"
},
{
"cve": "CVE-2024-10963",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2024-11-07T07:38:52.548000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2324291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pam: Improper Hostname Interpretation in pam_access Leads to Access Control Bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in pam_access is rated with an Important severity because it directly impacts the integrity of access control mechanisms in secure environments. By allowing hostname spoofing to bypass restrictions intended for specific local TTYs or services, the vulnerability enables attackers with minimal effort to exploit gaps in security policies that rely on access.conf configurations. The potential for unauthorized access is significant, as attackers with root privileges on any networked device can impersonate trusted service names to evade local access controls.\n\nThis vulnerability was introduced in RHEL-9.4 and does not affect previous versions of RHEL-9.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-10963"
},
{
"category": "external",
"summary": "RHBZ#2324291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-10963",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-10963"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-10963",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10963"
}
],
"release_date": "2024-11-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T14:54:56+00:00",
"details": "For Red Hat OpenShift AI 2.16.0 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10852"
},
{
"category": "workaround",
"details": "To reduce the risk, administrators should ensure that no DNS hostname matches local TTY or service names used in pam_access. Additionally, implement DNSSEC to prevent spoofing of DNS responses. For stronger protection, consider reconfiguring pam_access to only accept fully qualified domain names (FQDNs) in access.conf",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pam: Improper Hostname Interpretation in pam_access Leads to Access Control Bypass"
},
{
"cve": "CVE-2024-24786",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2024-03-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268046"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang\u0027s protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. This issue occurs during unmarshaling into a message that includes a google.protobuf.Any or when the UnmarshalOptions.DiscardUnknown option is enabled. This flaw allows an attacker to craft malicious input tailored to trigger the identified flaw in the unmarshal function. By providing carefully constructed invalid inputs, they could potentially cause the function to enter an infinite loop, resulting in a denial of service condition or other unintended behaviors in the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24786"
},
{
"category": "external",
"summary": "RHBZ#2268046",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268046"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24786",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24786"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786"
},
{
"category": "external",
"summary": "https://go.dev/cl/569356",
"url": "https://go.dev/cl/569356"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/",
"url": "https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2611",
"url": "https://pkg.go.dev/vuln/GO-2024-2611"
}
],
"release_date": "2024-03-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T14:54:56+00:00",
"details": "For Red Hat OpenShift AI 2.16.0 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10852"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON"
},
{
"cve": "CVE-2024-49767",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-10-25T20:00:37.993073+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2321829"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Werkzueg web application library. Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting and trigger a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-49767"
},
{
"category": "external",
"summary": "RHBZ#2321829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321829"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-49767",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49767"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49767"
},
{
"category": "external",
"summary": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee",
"url": "https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee"
},
{
"category": "external",
"summary": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b",
"url": "https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b"
},
{
"category": "external",
"summary": "https://github.com/pallets/werkzeug/releases/tag/3.0.6",
"url": "https://github.com/pallets/werkzeug/releases/tag/3.0.6"
},
{
"category": "external",
"summary": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2",
"url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2"
}
],
"release_date": "2024-10-25T19:41:35.029000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-05T14:54:56+00:00",
"details": "For Red Hat OpenShift AI 2.16.0 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10852"
},
{
"category": "workaround",
"details": "The Request.max_content_length setting and resource limits provided by deployment software and platforms are available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.",
"product_ids": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-codeflare-operator-rhel8@sha256:3fc2da180ef549a8041ebe6a5f5f24869a012a2416c2d3e154b2a5ba9645bf60_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-dashboard-rhel8@sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-argoexec-rhel8@sha256:0d5e5f17b2eac616c8f5701f89e7309b35000bb7771c311f8763b7b9d1f174a0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8@sha256:c5d22d63f967e5cf4bd35488dcf64ce0765a6a2a1070a911f66d7bf6f94f1136_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-data-science-pipelines-operator-controller-rhel8@sha256:4f7b6a45b4db2861c7e1ea225405ffcac3cf112b8eb9cf5a1c9fa7ffb68f6820_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kf-notebook-controller-rhel8@sha256:3e670a110eb3a6e59c6051b485bc88d39cb921b31854f36073f2088d52b53ce1_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kuberay-operator-controller-rhel8@sha256:efe0ec7e60c371b02f2d8431aab69eb1e2ff6c9c93c83d48f8b5e8a5e8d6e46f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-kueue-controller-rhel8@sha256:1fe9fb65f747f217c0f247519b23f702d0dfdb9fb471f99382afa9c25fec3c6f_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-api-server-v2-rhel8@sha256:4bc8931d063ab56fc99a62bf5b606e9f99addb61b6c097ee0401f7e31787a123_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-driver-rhel8@sha256:348e66c3e1e3c17106c4f4957c5e7b9bcefec80deb00e4900066262c356bc308_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-launcher-rhel8@sha256:f1861c81fbb70c28f408072b1bf1b4b79ae1a19637700c455f8133d191e78e6b_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8@sha256:ab129822211bc9af41a3a52ff10a88d7349a122d0c4e215c824f4e77437cad5e_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8@sha256:59aa33eb2adff1533465d89a6b86cb52c1823a4b724cc5fa535445277826ecf6_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mlmd-grpc-server-rhel8@sha256:d0e26b14b5c09c23193fbca6409e6a7124baa97138dfc75de17b48241636a4da_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-mm-rest-proxy-rhel8@sha256:c693bd7449c90b7406ce66652524d575c2b875d5c9f14f7ced79adf9c98d5fcb_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-controller-rhel8@sha256:56df2f7095c98e6aa73caf59bbb088ef0824ce0db6acdd5c3a15df53bfd3dbdd_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-operator-rhel8@sha256:1d348086632e5f94c923f91e40c823ab1c27c3b0abc008e8266abe2fd86062a5_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-model-registry-rhel8@sha256:60c9d0b547ad4d46cdabeb0dfb0c835c68c43bd34cd83b196155899b93017e38_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-rhel8@sha256:6f1ad9675887881dfaa7a8dd81a36ad86c9148f4882141f74b66b28144a73f29_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-runtime-adapter-rhel8@sha256:5f61cf084b1d79ee1b651f2b1777ff238c3e31eb76eba71ccb33b01c46f8c1af_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-modelmesh-serving-controller-rhel8@sha256:873167913efce726fe05667f2a5d3bbdd4aeedc6db905833c9ec620f39a33bd0_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-notebook-controller-rhel8@sha256:f96f5d774a07b8f345ddab253cc2671c92a8ba85dda89bd89e5e3c4f126eca50_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-operator-bundle@sha256:3e647011ba1561919aaac2c65fe605eff4c64fff4cc229e12490f90dcebf3669_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-rhel8-operator@sha256:8eebdb1fa9004bc34fc637ac6e8f195d0f7b71356714ef495c4c1f89d783eb84_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-training-operator-rhel8@sha256:68ca253d57a89eedda4bd65486ca480a25dd15ea1f7ff0376a50c7f4a40e1395_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-operator-rhel8@sha256:ba0929d09d596250ce4c35fc8e8ea1a325c35e87cac2fd4106d96573a870db12_amd64",
"Red Hat OpenShift AI 2.16:registry.redhat.io/rhoai/odh-trustyai-service-rhel8@sha256:feebb0e5015cba9d86d8ebf711c993f958f4cd01a935a136232b64fdd25bec0c_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "werkzeug: python-werkzeug: Werkzeug possible resource exhaustion when parsing file data in forms"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.