cvelistv5 - cve-2024-45816

cve-2024-45816

Vulnerability from cvelistv5

Published

2024-09-17 20:13

Modified

2024-09-18 14:50

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g	Third Party Advisory

Impacted products

	Vendor	Product	Version
	backstage	backstage	Version: < 1.10.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45816",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-18T14:50:10.374774Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-18T14:50:20.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "backstage",
          "vendor": "backstage",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.10.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-17T20:13:29.331Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g"
        }
      ],
      "source": {
        "advisory": "GHSA-39v3-f278-vj3g",
        "discovery": "UNKNOWN"
      },
      "title": "Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45816",
    "datePublished": "2024-09-17T20:13:29.331Z",
    "dateReserved": "2024-09-09T14:23:07.506Z",
    "dateUpdated": "2024-09-18T14:50:20.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45816\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-17T21:15:12.553\",\"lastModified\":\"2025-01-03T14:52:37.133\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Backstage es un framework abierto para crear portales para desarrolladores. Al utilizar el proveedor de almacenamiento AWS S3 o GCS para TechDocs, es posible acceder al contenido de todo el dep\u00f3sito de almacenamiento. Esto puede filtrar contenido del dep\u00f3sito al que no se pretende acceder, as\u00ed como eludir las comprobaciones de permisos en Backstage. Esto se ha solucionado en la versi\u00f3n 1.10.13 del paquete `@backstage/plugin-techdocs-backend`. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.13\",\"matchCriteriaId\":\"0305D9A0-C145-42FD-9630-E0DD2057FE9C\"}]}]}],\"references\":[{\"url\":\"https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45816\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-18T14:50:10.374774Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-18T14:50:16.575Z\"}}], \"cna\": {\"title\": \"Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend\", \"source\": {\"advisory\": \"GHSA-39v3-f278-vj3g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"backstage\", \"product\": \"backstage\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.10.13\"}]}], \"references\": [{\"url\": \"https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g\", \"name\": \"https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23: Relative Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-09-17T20:13:29.331Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-45816\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-18T14:50:20.582Z\", \"dateReserved\": \"2024-09-09T14:23:07.506Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-17T20:13:29.331Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-39v3-f278-vj3g

Vulnerability from github

Published

2024-09-17 21:30

Modified

2025-01-03 16:12

Severity ?

7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Summary

@backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability

Details

Impact

When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage.

Patches

This has been fixed in the 1.10.13 release of the @backstage/plugin-techdocs-backend package.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/plugin-techdocs-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-17T21:30:20Z",
    "nvd_published_at": "2024-09-17T21:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWhen using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage.\n\n### Patches\n\nThis has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package.\n\n### References\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in the [Backstage repository](https://github.com/backstage/backstage)\nVisit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)\n",
  "id": "GHSA-39v3-f278-vj3g",
  "modified": "2025-01-03T16:12:39Z",
  "published": "2024-09-17T21:30:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45816"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/backstage/backstage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability"
}

rhba-2024:11265

Vulnerability from csaf_redhat

Published

2024-12-17 15:12

Modified

2025-02-13 16:38

Summary

Red Hat Bug Fix Advisory: Red Hat Developer Hub 1.4.0 release.

Notes

Topic

Red Hat Developer Hub 1.4 has been released.

Details

Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Developer Hub 1.4 has been released.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHBA-2024:11265",
        "url": "https://access.redhat.com/errata/RHBA-2024:11265"
      },
      {
        "category": "external",
        "summary": "https://developers.redhat.com/rhdh/overview",
        "url": "https://developers.redhat.com/rhdh/overview"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
        "url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
      },
      {
        "category": "external",
        "summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
        "url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-21536",
        "url": "https://access.redhat.com/security/cve/CVE-2024-21536"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-21538",
        "url": "https://access.redhat.com/security/cve/CVE-2024-21538"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-45296",
        "url": "https://access.redhat.com/security/cve/CVE-2024-45296"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-45590",
        "url": "https://access.redhat.com/security/cve/CVE-2024-45590"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-45815",
        "url": "https://access.redhat.com/security/cve/CVE-2024-45815"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-45816",
        "url": "https://access.redhat.com/security/cve/CVE-2024-45816"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-46976",
        "url": "https://access.redhat.com/security/cve/CVE-2024-46976"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-47762",
        "url": "https://access.redhat.com/security/cve/CVE-2024-47762"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhba-2024_11265.json"
      }
    ],
    "title": "Red Hat Bug Fix Advisory: Red Hat Developer Hub 1.4.0 release.",
    "tracking": {
      "current_release_date": "2025-02-13T16:38:02+00:00",
      "generator": {
        "date": "2025-02-13T16:38:02+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.3.1"
        }
      },
      "id": "RHBA-2024:11265",
      "initial_release_date": "2024-12-17T15:12:17+00:00",
      "revision_history": [
        {
          "date": "2024-12-17T15:12:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-02-12T15:12:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-02-13T16:38:02+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Developer Hub (RHDH) 1.4",
                "product": {
                  "name": "Red Hat Developer Hub (RHDH) 1.4",
                  "product_id": "Red Hat Developer Hub (RHDH) 1.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhdh:1.4::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Developer Hub (RHDH)"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-hub-rhel9@sha256%3A48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.4-1734106454"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.4-1734106469"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-operator-bundle@sha256%3A2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.4-1734113472"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64 as a component of Red Hat Developer Hub (RHDH) 1.4",
          "product_id": "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub (RHDH) 1.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64 as a component of Red Hat Developer Hub (RHDH) 1.4",
          "product_id": "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub (RHDH) 1.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64 as a component of Red Hat Developer Hub (RHDH) 1.4",
          "product_id": "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub (RHDH) 1.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-21536",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-19T06:00:36.846953+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2319884"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "http-proxy-middleware: Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-21536"
        },
        {
          "category": "external",
          "summary": "RHBZ#2319884",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319884"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21536",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-21536"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21536",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21536"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a",
          "url": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5",
          "url": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22",
          "url": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906",
          "url": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"
        }
      ],
      "release_date": "2024-10-19T05:00:04.056000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T15:12:17+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2024:11265"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have any mitigation recommendations at this time.",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "http-proxy-middleware: Denial of Service"
    },
    {
      "cve": "CVE-2024-21538",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2024-11-08T13:44:29.182678+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2324550"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cross-spawn: regular expression denial of service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-21538"
        },
        {
          "category": "external",
          "summary": "RHBZ#2324550",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324550"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21538",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538"
        },
        {
          "category": "external",
          "summary": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff",
          "url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"
        },
        {
          "category": "external",
          "summary": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f",
          "url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"
        },
        {
          "category": "external",
          "summary": "https://github.com/moxystudio/node-cross-spawn/pull/160",
          "url": "https://github.com/moxystudio/node-cross-spawn/pull/160"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230",
          "url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"
        }
      ],
      "release_date": "2024-11-08T05:00:04.695000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T15:12:17+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2024:11265"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "cross-spawn: regular expression denial of service"
    },
    {
      "cve": "CVE-2024-45296",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2024-09-09T19:20:18.127723+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2310908"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in path-to-regexp package, where it turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single-threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a denial of service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "path-to-regexp: Backtracking regular expressions cause ReDoS",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-45296"
        },
        {
          "category": "external",
          "summary": "RHBZ#2310908",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310908"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45296",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296"
        },
        {
          "category": "external",
          "summary": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f",
          "url": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f"
        },
        {
          "category": "external",
          "summary": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6",
          "url": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6"
        },
        {
          "category": "external",
          "summary": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j",
          "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j"
        }
      ],
      "release_date": "2024-09-09T19:15:13.330000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T15:12:17+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2024:11265"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "path-to-regexp: Backtracking regular expressions cause ReDoS"
    },
    {
      "cve": "CVE-2024-45590",
      "cwe": {
        "id": "CWE-405",
        "name": "Asymmetric Resource Consumption (Amplification)"
      },
      "discovery_date": "2024-09-10T16:20:29.292154+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2311171"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "body-parser: Denial of Service Vulnerability in body-parser",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-45590"
        },
        {
          "category": "external",
          "summary": "RHBZ#2311171",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311171"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45590",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-45590"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce",
          "url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7",
          "url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7"
        }
      ],
      "release_date": "2024-09-10T16:15:21.083000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T15:12:17+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2024:11265"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "body-parser: Denial of Service Vulnerability in body-parser"
    },
    {
      "cve": "CVE-2024-45815",
      "cwe": {
        "id": "CWE-1321",
        "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
      },
      "discovery_date": "2024-09-17T21:20:06.780788+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2312952"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the backstage/plugin-catalog-backend package. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "plugin-catalog-backend: prototype pollution vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-45815"
        },
        {
          "category": "external",
          "summary": "RHBZ#2312952",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312952"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45815",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-45815"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45815",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45815"
        },
        {
          "category": "external",
          "summary": "https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j",
          "url": "https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j"
        }
      ],
      "release_date": "2024-09-17T21:15:12.320000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T15:12:17+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2024:11265"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "plugin-catalog-backend: prototype pollution vulnerability"
    },
    {
      "cve": "CVE-2024-45816",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "discovery_date": "2024-09-17T21:20:09.051855+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2312953"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A directory traversal vulnerability was found in the backstage/plugin-techdocs-backend package. When using the AWS S3 or GCS storage provider for TechDocs, it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "plugin-techdocs-backend: storage bucket directory traversal in TechDocs",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-45816"
        },
        {
          "category": "external",
          "summary": "RHBZ#2312953",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312953"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45816",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-45816"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45816",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45816"
        },
        {
          "category": "external",
          "summary": "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g",
          "url": "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g"
        }
      ],
      "release_date": "2024-09-17T21:15:12.553000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T15:12:17+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2024:11265"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "plugin-techdocs-backend: storage bucket directory traversal in TechDocs"
    },
    {
      "cve": "CVE-2024-46976",
      "cwe": {
        "id": "CWE-693",
        "name": "Protection Mechanism Failure"
      },
      "discovery_date": "2024-09-17T21:20:11.815685+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2312954"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the backstage/plugin-techdocs-backend package. An attacker with control of the contents of the TechDocs storage buckets may be able to inject executable scripts in the TechDocs content that will be executed in the victim\u0027s browser when browsing documentation or navigating to an attacker provided link.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "plugin-techdocs-backend: circumvention of XSS protection in TechDocs",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-46976"
        },
        {
          "category": "external",
          "summary": "RHBZ#2312954",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312954"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-46976",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-46976"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-46976",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46976"
        },
        {
          "category": "external",
          "summary": "https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685",
          "url": "https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685"
        }
      ],
      "release_date": "2024-09-17T21:15:12.763000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T15:12:17+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2024:11265"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "plugin-techdocs-backend: circumvention of XSS protection in TechDocs"
    },
    {
      "cve": "CVE-2024-47762",
      "cwe": {
        "id": "CWE-440",
        "name": "Expected Behavior Violation"
      },
      "discovery_date": "2024-10-03T18:01:14.495619+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316342"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the backstage/plugin-app-backend package. Configurations supplied through APP_CONFIG_* environment variables unexpectedly ignore the visibility defined in the configuration schema, potentially exposing sensitive configuration details intended to remain private or restricted to backend processes.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "backstage/plugin-app-backend: Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
          "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47762"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316342",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316342"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47762",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47762"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47762",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47762"
        },
        {
          "category": "external",
          "summary": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f",
          "url": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f"
        },
        {
          "category": "external",
          "summary": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc",
          "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc"
        }
      ],
      "release_date": "2024-10-03T17:14:34.529000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T15:12:17+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2024:11265"
        },
        {
          "category": "workaround",
          "details": "Avoid supplying secrets using the APP_CONFIG_* configuration pattern. Consider alternative methods such as the environment variable substitution.\n\nSee this link for more information about environment variable substitution: https://backstage.io/docs/conf/writing/#environment-variable-substitution",
          "product_ids": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:2981d2470951ea1e26eb968aefc39ab48ab7d9634a520cf2bbd8c5fef313db15_amd64",
            "Red Hat Developer Hub (RHDH) 1.4:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:448fba0f5f87dc6508b96503fbb794b5b67ed4dea3c95f42d5accdfe1c77e721_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "backstage/plugin-app-backend: Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend"
    }
  ]
}

fkie_cve-2024-45816

Vulnerability from fkie_nvd

Published

2024-09-17 21:15

Modified

2025-01-03 14:52

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g	Third Party Advisory

Impacted products

	Vendor	Product	Version
	linuxfoundation	backstage	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0305D9A0-C145-42FD-9630-E0DD2057FE9C",
              "versionEndExcluding": "1.10.13",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Backstage es un framework abierto para crear portales para desarrolladores. Al utilizar el proveedor de almacenamiento AWS S3 o GCS para TechDocs, es posible acceder al contenido de todo el dep\u00f3sito de almacenamiento. Esto puede filtrar contenido del dep\u00f3sito al que no se pretende acceder, as\u00ed como eludir las comprobaciones de permisos en Backstage. Esto se ha solucionado en la versi\u00f3n 1.10.13 del paquete `@backstage/plugin-techdocs-backend`. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2024-45816",
  "lastModified": "2025-01-03T14:52:37.133",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-09-17T21:15:12.553",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-23"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-45816

Vulnerability from cvelistv5

ghsa-39v3-f278-vj3g

Vulnerability from github

Impact

Patches

References

rhba-2024:11265

Vulnerability from csaf_redhat

fkie_cve-2024-45816

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature