CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
96.4%
Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.
Security Fix(es):
goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)
decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
vault: Hashicorp Vault AWS IAM Integration Authentication Bypass (CVE-2020-16250)
vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
go-yaml: Denial of Service in go-yaml (CVE-2021-4235)
vault: incorrect policy enforcement (CVE-2021-43998)
nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)
nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)
nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)
golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass (CVE-2022-23540)
jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
consul: Consul Template May Expose Vault Secrets When Processing Invalid Input (CVE-2022-38149)
vault: insufficient certificate revocation list checking (CVE-2022-41316)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620)
hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665)
Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation (CVE-2023-24999)
hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000)
validator: Inefficient Regular Expression Complexity in Validator.js (CVE-2021-3765)
nodejs: Prototype pollution via console.table properties (CVE-2022-21824)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
96.4%