CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.6%
OpenShift Virtualization is Red Hat’s virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization 2.6.0 images:
kubevirt-cpu-node-labeller-container-v2.6.0-5
kubevirt-cpu-model-nfd-plugin-container-v2.6.0-5
node-maintenance-operator-container-v2.6.0-13
kubevirt-vmware-container-v2.6.0-5
virtio-win-container-v2.6.0-5
kubevirt-kvm-info-nfd-plugin-container-v2.6.0-5
bridge-marker-container-v2.6.0-9
kubevirt-template-validator-container-v2.6.0-9
kubevirt-v2v-conversion-container-v2.6.0-6
kubemacpool-container-v2.6.0-13
kubevirt-ssp-operator-container-v2.6.0-40
hyperconverged-cluster-webhook-container-v2.6.0-73
hyperconverged-cluster-operator-container-v2.6.0-73
ovs-cni-plugin-container-v2.6.0-10
cnv-containernetworking-plugins-container-v2.6.0-10
ovs-cni-marker-container-v2.6.0-10
cluster-network-addons-operator-container-v2.6.0-16
hostpath-provisioner-container-v2.6.0-11
hostpath-provisioner-operator-container-v2.6.0-14
vm-import-virtv2v-container-v2.6.0-21
kubernetes-nmstate-handler-container-v2.6.0-19
vm-import-controller-container-v2.6.0-21
vm-import-operator-container-v2.6.0-21
virt-api-container-v2.6.0-111
virt-controller-container-v2.6.0-111
virt-handler-container-v2.6.0-111
virt-operator-container-v2.6.0-111
virt-launcher-container-v2.6.0-111
cnv-must-gather-container-v2.6.0-54
virt-cdi-importer-container-v2.6.0-24
virt-cdi-cloner-container-v2.6.0-24
virt-cdi-controller-container-v2.6.0-24
virt-cdi-uploadserver-container-v2.6.0-24
virt-cdi-apiserver-container-v2.6.0-24
virt-cdi-uploadproxy-container-v2.6.0-24
virt-cdi-operator-container-v2.6.0-24
hco-bundle-registry-container-v2.6.0-582
Security Fix(es):
golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)
gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)
jwt-go: access restriction bypass vulnerability (CVE-2020-26160)
golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)
golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)
containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.