(RHSA-2024:3868) Important: Network Observability 1.6.0 for OpenShift

2024-06-1700:42:24

access.redhat.com

network observability

openshift

security fix

cve-2024-29180

cve-2024-24786

cve-2023-42282

cve-2023-39326

cve-2024-28849

cve-2024-24783

cve-2023-45289

cve-2023-45290

cve-2024-24785

cve-2024-29041

cvss score

references

unix

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.005

Percentile

77.0%

JSON

Network Observability 1.6.0

Security Fix(es):

CVE-2024-29180 webpack-dev-middleware: lack of URL validation may lead to file leak
CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
CVE-2023-42282 nodejs-ip: arbitrary code execution via the isPublic() function
CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
CVE-2024-28849 follow-redirects: Possible credential leak
CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
CVE-2024-29041 express: cause malformed URLs to be evaluated [noo-1]

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.