ID

VAR-202201-0349

CVE

CVE-2022-0235

TITLE

node-fetch  Open redirect vulnerability in

DESCRIPTION

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor. node-fetch Exists in an open redirect vulnerability.Information may be obtained and information may be tampered with. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Description: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. Security Fix(es): * chart.js: prototype pollution (CVE-2020-7746) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * package immer before 9.0.6. Solution: For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Red Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link. You must log in to download the update. Bugs fixed (https://bugzilla.redhat.com/): 2041833 - CVE-2021-23436 immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2066009 - CVE-2021-44906 minimist: prototype pollution 2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery 2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2096966 - CVE-2020-7746 chart.js: prototype pollution 2103584 - CVE-2022-0722 parse-url: Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2107994 - CVE-2022-2458 Business-central: Possible XML External Entity Injection attack 5. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update Advisory ID: RHSA-2023:0612-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2023:0612 Issue date: 2023-02-06 CVE Names: CVE-2021-35065 CVE-2021-44906 CVE-2022-0235 CVE-2022-3517 CVE-2022-24999 CVE-2022-43548 ===================================================================== 1. Summary: An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.21.1), rh-nodejs14-nodejs-nodemon (2.0.20). (BZ#2129806, BZ#2135519, BZ#2135520, BZ#2141022) Security Fix(es): * glob-parent: Regular Expression Denial of Service (CVE-2021-35065) * minimist: prototype pollution (CVE-2021-44906) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517) * express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999) * nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * rh-nodejs14-nodejs: Provide full-i18n subpackage (BZ#2009880) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2009880 - rh-nodejs14-nodejs: Provide full-i18n subpackage 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2066009 - CVE-2021-44906 minimist: prototype pollution 2129806 - rh-nodejs14-nodejs: Rebase to the latest Nodejs 14 release [rhscl-3] 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function 2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address 2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process 2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-nodejs14-nodejs-14.21.1-3.el7.src.rpm rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.src.rpm noarch: rh-nodejs14-nodejs-docs-14.21.1-3.el7.noarch.rpm rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.noarch.rpm ppc64le: rh-nodejs14-nodejs-14.21.1-3.el7.ppc64le.rpm rh-nodejs14-nodejs-debuginfo-14.21.1-3.el7.ppc64le.rpm rh-nodejs14-nodejs-devel-14.21.1-3.el7.ppc64le.rpm rh-nodejs14-nodejs-full-i18n-14.21.1-3.el7.ppc64le.rpm rh-nodejs14-npm-6.14.17-14.21.1.3.el7.ppc64le.rpm s390x: rh-nodejs14-nodejs-14.21.1-3.el7.s390x.rpm rh-nodejs14-nodejs-debuginfo-14.21.1-3.el7.s390x.rpm rh-nodejs14-nodejs-devel-14.21.1-3.el7.s390x.rpm rh-nodejs14-nodejs-full-i18n-14.21.1-3.el7.s390x.rpm rh-nodejs14-npm-6.14.17-14.21.1.3.el7.s390x.rpm x86_64: rh-nodejs14-nodejs-14.21.1-3.el7.x86_64.rpm rh-nodejs14-nodejs-debuginfo-14.21.1-3.el7.x86_64.rpm rh-nodejs14-nodejs-devel-14.21.1-3.el7.x86_64.rpm rh-nodejs14-nodejs-full-i18n-14.21.1-3.el7.x86_64.rpm rh-nodejs14-npm-6.14.17-14.21.1.3.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-nodejs14-nodejs-14.21.1-3.el7.src.rpm rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.src.rpm noarch: rh-nodejs14-nodejs-docs-14.21.1-3.el7.noarch.rpm rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.noarch.rpm x86_64: rh-nodejs14-nodejs-14.21.1-3.el7.x86_64.rpm rh-nodejs14-nodejs-debuginfo-14.21.1-3.el7.x86_64.rpm rh-nodejs14-nodejs-devel-14.21.1-3.el7.x86_64.rpm rh-nodejs14-nodejs-full-i18n-14.21.1-3.el7.x86_64.rpm rh-nodejs14-npm-6.14.17-14.21.1.3.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-35065 https://access.redhat.com/security/cve/CVE-2021-44906 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-3517 https://access.redhat.com/security/cve/CVE-2022-24999 https://access.redhat.com/security/cve/CVE-2022-43548 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY+FwVdzjgjWX9erEAQhOWA/9Gq7cSRmn2ObA5/CYR5arq5ebBc/bOjp9 MJwS787yd1EpS/kHXp1xRl16lLtvKzJpDCVW3E2bEktdGk85avvwos9UaNWkHI16 DLuWJ2d0tgnGb16lWRmppsGHUCXn2ynh/9SlFFgoiry2LLsWsFmVb8kq20mtdvnA m4f5oUOgtCqQd+AM4o+dBjYZwNjJG6HiROLEk0BV4+gUDuFKzpPj5/cnVTExtMxV 5aL5I0a3jbpAnSIHl8BhiDY0/3w4iBKvBDm0XCjCHTPztxBHlqSukJ8cwkafPb9G 7PIfXzW53XBQj63pqNBtHBIz61llT3mNgTpq/6Y4VecVtrv8FIc+RbT0JmcNu2jB A2rVDJClTcLY9g4JO0JL9F4DbIL3d3btPU53yRsmQmuViEyCOkbmjxD7Bi5wb7cb tVWquVlPn/90yC0mfHIogWRaa4OIxJAJld/16alNtpepN4OwfSFW0Y2RI1A9cQlc 2NkMVFQF2hgst/g41Cd2weqkjieaowJZvVjKVRCQJHzOV8KwGBMUNd5uQzG6E4pK 6lzu7oCMtcWACvnkFzGelSvUjtzxvy+kevYx021OmAiHaEUSGWBXbsFQJENc/0OR Xroh/4/actC+fTk+OZVngp7hKAbyMk6x9xHwXrJECji4qnN3fZ81wjHQ5nj0OGfB m7TliM6t2f0= =3Acg -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . (BZ# 2033339) * Restore/backup shows up as Validation failed but the restore backup status in ACM shows success (BZ# 2034279) * Observability - OCP 311 node role are not displayed completely (BZ# 2038650) * Documented uninstall procedure leaves many leftovers (BZ# 2041921) * infrastructure-operator pod crashes due to insufficient privileges in ACM 2.5 (BZ# 2046554) * Acm failed to install due to some missing CRDs in operator (BZ# 2047463) * Navigation icons no longer showing in ACM 2.5 (BZ# 2051298) * ACM home page now includes /home/ in url (BZ# 2051299) * proxy heading in Add Credential should be capitalized (BZ# 2051349) * ACM 2.5 tries to create new MCE instance when install on top of existing MCE 2.0 (BZ# 2051983) * Create Policy button does not work and user cannot use console to create policy (BZ# 2053264) * No cluster information was displayed after a policyset was created (BZ# 2053366) * Dynamic plugin update does not take effect in Firefox (BZ# 2053516) * Replicated policy should not be available when creating a Policy Set (BZ# 2054431) * Placement section in Policy Set wizard does not reset when users click "Back" to re-configured placement (BZ# 2054433) 3. Bugs fixed (https://bugzilla.redhat.com/): 2014557 - RFE Copy secret with specific secret namespace, name for source and name, namespace and cluster label for target 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion 2028224 - RHACM 2.5.0 images 2028348 - [UI] When you delete host agent from infraenv no confirmation message appear (Are you sure you want to delete x?) 2028647 - Clusters are in 'Degraded' status with upgrade env due to obs-controller not working properly 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic 2033339 - create cluster pool -> choose infra type , As a result infra providers disappear from UI. 2073179 - Policy controller was unable to retrieve violation status in for an OCP 3.11 managed cluster on ARM hub 2073330 - Observabilityy - memory usage data are not collected even collect rule is fired on SNO 2073355 - Get blank page when click policy with unknown status in Governance -> Overview page 2073508 - Thread responsible to get insights data from *ks clusters is broken 2073557 - appsubstatus is not deleted for Helm applications when changing between 2 managed clusters 2073726 - Placement of First Subscription gets overlapped by the Cluster Node in Application Topology 2073739 - Console/App LC - Error message saying resource conflict only shows up in standalone ACM but not in Dynamic plugin 2073740 - Console/App LC- Apps are deployed even though deployment do not proceed because of "resource conflict" error 2074178 - Editing Helm Argo Applications does not Prune Old Resources 2074626 - Policy placement failure during ZTP SNO scale test 2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store 2074803 - The import cluster YAML editor shows the klusterletaddonconfig was required on MCE portal 2074937 - UI allows creating cluster even when there are no ClusterImageSets 2075416 - infraEnv failed to create image after restore 2075440 - The policyreport CR is created for spoke clusters until restarted the insights-client pod 2075739 - The lookup function won't check the referred resource whether exist when using template policies 2076421 - Can't select existing placement for policy or policyset when editing policy or policyset 2076494 - No policyreport CR for spoke clusters generated in the disconnected env 2076502 - The policyset card doesn't show the cluster status(violation/without violation) again after deleted one policy 2077144 - GRC Ansible automation wizard does not display error of missing dependent Ansible Automation Platform operator 2077149 - App UI shows no clusters cluster column of App Table when Discovery Applications is deployed to a managed cluster 2077291 - Prometheus doesn't display acm_managed_cluster_info after upgrade from 2.4 to 2.5 2077304 - Create Cluster button is disabled only if other clusters exist 2077526 - ACM UI is very very slow after upgrade from 2.4 to 2.5 2077562 - Console/App LC- Helm and Object bucket applications are not showing as deployed in the UI 2077751 - Can't create a template policy from UI when the object's name is referring Golang text template syntax in this policy 2077783 - Still show violation for clusterserviceversions after enforced "Detect Image vulnerabilities " policy template and the operator is installed 2077951 - Misleading message indicated that a placement of a policy became one managed only by policy set 2078164 - Failed to edit a policy without placement 2078167 - Placement binding and rule names are not created in yaml when editing a policy previously created with no placement 2078373 - Disable the hyperlink of *ks node in standalone MCE environment since the search component was not exists 2078617 - Azure public credential details get pre-populated with base domain name in UI 2078952 - View pod logs in search details returns error 2078973 - Crashed pod is marked with success in Topology 2079013 - Changing existing placement rules does not change YAML file 2079015 - Uninstall pod crashed when destroying Azure Gov cluster in ACM 2079421 - Hyphen(s) is deleted unexpectedly in UI when yaml is turned on 2079494 - Hitting Enter in yaml editor caused unexpected keys "key00x:" to be created 2079533 - Clusters with no default clusterset do not get assigned default cluster when upgrading from ACM 2.4 to 2.5 2079585 - When an Ansible Secret is propagated to an Ansible Application namespace, the propagated secret is shown in the Credentials page 2079611 - Edit appset placement in UI with a different existing placement causes the current associated placement being deleted 2079615 - Edit appset placement in UI with a new placement throws error upon submitting 2079658 - Cluster Count is Incorrect in Application UI 2079909 - Wrong message is displayed when GRC fails to connect to an ansible tower 2080172 - Still create policy automation successfully when the PolicyAutomation name exceed 63 characters 2080215 - Get a blank page after go to policies page in upgraded env when using an user with namespace-role-binding of default view role 2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses 2080503 - vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes 2080567 - Number of cluster in violation in the table does not match other cluster numbers on the policy set details page 2080712 - Select an existing placement configuration does not work 2080776 - Unrecognized characters are displayed on policy and policy set yaml editors 2081792 - When deploying an application to a clusterpool claimed cluster after upgrade, the application does not get deployed to the cluster 2081810 - Type '-' character in Name field caused previously typed character backspaced in in the name field of policy wizard 2081829 - Application deployed on local cluster's topology is crashing after upgrade 2081938 - The deleted policy still be shown on the policyset review page when edit this policy set 2082226 - Object Storage Topology includes residue of resources after Upgrade 2082409 - Policy set details panel remains even after the policy set has been deleted 2082449 - The hypershift-addon-agent deployment did not have imagePullSecrets 2083038 - Warning still refers to the `klusterlet-addon-appmgr` pod rather than the `application-manager` pod 2083160 - When editing a helm app with failing resources to another, the appsubstatus and the managedclusterview do not get updated 2083434 - The provider-credential-controller did not support the RHV credentials type 2083854 - When deploying an application with ansiblejobs multiple times with different namespaces, the topology shows all the ansiblejobs rather than just the one within the namespace 2083870 - When editing an existing application and refreshing the `Select an existing placement configuration`, multiple occurrences of the placementrule gets displayed 2084034 - The status message looks messy in the policy set card, suggest one kind status one a row 2084158 - Support provisioning bm cluster where no provisioning network provided 2084622 - Local Helm application shows cluster resources as `Not Deployed` in Topology [Upgrade] 2085083 - Policies fail to copy to cluster namespace after ACM upgrade 2085237 - Resources referenced by a channel are not annotated with backup label 2085273 - Error querying for ansible job in app topology 2085281 - Template name error is reported but the template name was found in a different replicated policy 2086389 - The policy violations for hibernated cluster still be displayed on the policy set details page 2087515 - Validation thrown out in configuration for disconnect install while creating bm credential 2088158 - Object Storage Application deployed to all clusters is showing unemployed in topology [Upgrade] 2088511 - Some cluster resources are not showing labels that are defined in the YAML 5. This update provides security fixes, fixes bugs, and updates the container images. Description: Red Hat Advanced Cluster Management for Kubernetes 2.4.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which provide some security fixes and bug fixes. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/ Security updates: * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * containerd: Unprivileged pod may bind mount any privileged regular file on disk (CVE-2021-43816) * minio-go: user privilege escalation in AddUser() admin API (CVE-2021-43858) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * fastify-static: open redirect via an URL with double slash followed by a domain (CVE-2021-22963) * moby: `docker cp` allows unexpected chmod of host file (CVE-2021-41089) * moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal (CVE-2021-41091) * golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565) * node-fetch: Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235) * nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account (CVE-2022-24450) Bug fixes: * Trying to create a new cluster on vSphere and no feedback, stuck in "creating" (Bugzilla #1937078) * The hyperlink of *ks cluster node cannot be opened when I want to check the node (Bugzilla #2028100) * Unable to make SSH connection to a Bitbucket server (Bugzilla #2028196) * RHACM cannot deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1) (Bugzilla #2028931) * RHACM 2.4.2 images (Bugzilla #2029506) * Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0 (Bugzilla #2030005) * Namespace left orphaned after destroying the cluster (Bugzilla #2030379) * The results filtered through the filter contain some data that should not be present in cluster page (Bugzilla #2034198) * Git over ssh doesn't use custom port set in url (Bugzilla #2036057) * The value of name label changed from clusterclaim name to cluster name (Bugzilla #2042223) * ACM configuration policies do not handle Limitrange or Quotas values (Bugzilla #2042545) * Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6 (Bugzilla #2050847) * The azure government regions were not list in the region drop down list when creating the cluster (Bugzilla #2051797) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 2001668 - [DDF] normally, in the OCP web console, one sees a yaml of the secret, where at the bottom, the following is shown: 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2008592 - CVE-2021-41089 moby: `docker cp` allows unexpected chmod of host file 2012909 - [DDF] We feel it would be beneficial to add a sub-section here referencing the reconcile options available to users when 2015152 - CVE-2021-22963 fastify-static: open redirect via an URL with double slash followed by a domain 2023448 - CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability 2028100 - The hyperlink of *ks cluster node can not be opened when I want to check the node 2028196 - Unable to make SSH connection to a Bitbucket server 2028931 - RHACM can not deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1) 2029506 - RHACM 2.4.2 images 2030005 - Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0 2030379 - Namespace left orphaned after destroying the cluster 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic 2032957 - Missing AWX templates in ACM 2034198 - The results filtered through the filter contain some data that should not be present in cluster page 2036057 - git over ssh doesn't use custom port set in url 2036252 - CVE-2021-43858 minio: user privilege escalation in AddUser() admin API 2039378 - Deploying CRD via Application does not update status in ACM console 2041015 - The base domain did not updated when switch the provider credentials during create the cluster/cluster pool 2042545 - ACM configuration policies do not handle Limitrange or Quotas values 2043519 - "apps.open-cluster-management.io/git-branch" annotation should be mandatory 2044434 - CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2050847 - Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6 2051797 - the azure government regions were not list in the region drop down list when create the cluster 2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution, xss

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-08-11T20:20:21.134000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE