(RHSA-2023:0584) Moderate: Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 security update

2023-05-1814:25:47

access.redhat.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.3%

JSON

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1

Security Fix(es):

golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.