{"containers": {"cna": {"affected": [{"product": "postcss", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "7.0.0", "versionType": "custom"}, {"lessThan": "8.2.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Yeting Li"}], "datePublic": "2021-04-12T00:00:00", "descriptions": [{"lang": "en", "value": "The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Regular Expression Denial of Service (ReDoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-21T10:06:19", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] henningn opened a new pull request #774: build(postcss): update dependency to fix CVE-2021-23368", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1%40%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] henningn merged pull request #774: build(postcss): update dependency to fix CVE-2021-23368", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33%40%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #775: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be%40%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-commits] 20210421 [myfaces-tobago] branch master updated: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013%40%3Ccommits.myfaces.apache.org%3E"}, {"name": "[myfaces-commits] 20210421 [myfaces-tobago] branch master updated: build(postcss): update dependency to fix CVE-2021-23368", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb%40%3Ccommits.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] lofwyr14 merged pull request #775: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab%40%3Cdev.myfaces.apache.org%3E"}], "title": "Regular Expression Denial of Service (ReDoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-04-12T13:48:15.877501Z", "ID": "CVE-2021-23368", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service (ReDoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "postcss", "version": {"version_data": [{"version_affected": ">=", "version_value": "7.0.0"}, {"version_affected": "<", "version_value": "8.2.10"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Yeting Li"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Regular Expression Denial of Service (ReDoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795"}, {"name": "https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5", "refsource": "MISC", "url": "https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5"}, {"name": "https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4", "refsource": "MISC", "url": "https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] henningn opened a new pull request #774: build(postcss): update dependency to fix CVE-2021-23368", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] henningn merged pull request #774: build(postcss): update dependency to fix CVE-2021-23368", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #775: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-commits] 20210421 [myfaces-tobago] branch master updated: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E"}, {"name": "[myfaces-commits] 20210421 [myfaces-tobago] branch master updated: build(postcss): update dependency to fix CVE-2021-23368", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] lofwyr14 merged pull request #775: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.799Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] henningn opened a new pull request #774: build(postcss): update dependency to fix CVE-2021-23368", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1%40%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] henningn merged pull request #774: build(postcss): update dependency to fix CVE-2021-23368", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33%40%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #775: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be%40%3Cdev.myfaces.apache.org%3E"}, {"name": "[myfaces-commits] 20210421 [myfaces-tobago] branch master updated: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013%40%3Ccommits.myfaces.apache.org%3E"}, {"name": "[myfaces-commits] 20210421 [myfaces-tobago] branch master updated: build(postcss): update dependency to fix CVE-2021-23368", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb%40%3Ccommits.myfaces.apache.org%3E"}, {"name": "[myfaces-dev] 20210421 [GitHub] [myfaces-tobago] lofwyr14 merged pull request #775: Updating lib, to avoid CVE problem CVE-2021-23368 with postcss", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab%40%3Cdev.myfaces.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23368", "datePublished": "2021-04-12T13:50:14.764222Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-16T17:27:47.659Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postcss:postcss:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B0644E66-D301-4D2D-8019-27F2B5921EF3", "versionEndExcluding": "7.0.36", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postcss:postcss:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4E58DE0A-C914-45F6-AB3F-D643AEAED341", "versionEndExcluding": "8.2.10", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing."}, {"lang": "es", "value": "El paquetes postcss desde versiones 7.0.0 y anteriores a 8.2.10 son vulnerables a una Denegaci\u00f3n de Servicio de Expresiones Regulares (ReDoS) durante el an\u00e1lisis del mapa de origen"}], "id": "CVE-2021-23368", "lastModified": "2024-11-21T05:51:35.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-12T14:15:14.257", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be%40%3Cdev.myfaces.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1%40%3Cdev.myfaces.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab%40%3Cdev.myfaces.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013%40%3Ccommits.myfaces.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33%40%3Cdev.myfaces.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb%40%3Ccommits.myfaces.apache.org%3E"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be%40%3Cdev.myfaces.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1%40%3Cdev.myfaces.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab%40%3Cdev.myfaces.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013%40%3Ccommits.myfaces.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33%40%3Cdev.myfaces.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb%40%3Ccommits.myfaces.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3016", "cpe": "cpe:/a:redhat:acm:2.3::el8", "impact": "low", "package": "rhacm2/grc-ui-rhel8:v2.3.0-100", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-08-06T00:00:00Z"}, {"advisory": "RHSA-2021:2438", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "impact": "low", "package": "openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-07-27T00:00:00Z"}, {"advisory": "RHSA-2021:3917", "cpe": "cpe:/a:redhat:quay:3::el8", "impact": "low", "package": "quay/quay-rhel8:v3.6.0-62", "product_name": "Red Hat Quay 3", "release_date": "2021-10-19T00:00:00Z"}], "bugzilla": {"description": "nodejs-postcss: Regular expression denial of service during source map parsing", "id": "1948763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948763"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.", "A regular expression denial of service (ReDoS) vulnerability was found in the npm library `postcss`. When parsing a supplied CSS string, if it contains an unexpected value then as the supplied CSS grows in length it will take an ever increasing amount of time to process. An attacker can use this vulnerability to potentially craft a malicious a long CSS value to process resulting in a denial of service."], "name": "CVE-2021-23368", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "low", "package_name": "application-ui", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "low", "package_name": "console", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "low", "package_name": "search-ui", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "postcss", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "golang-github-prometheus-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "cockpit-ovirt", "product_name": "Red Hat Virtualization 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "ovirt-engine-ui-extensions", "product_name": "Red Hat Virtualization 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "ovirt-web-ui", "product_name": "Red Hat Virtualization 4"}], "public_date": "2021-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-23368\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23368"], "statement": "In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\nIn Red Had Quay , whilst a vulnerable version of `postcss` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.\nIn Red Hat Virtualization a vulnerable version of postcss is used in cockpit-ovirt, ovirt-web-ui and ovirt-engine-ui-extensions. However, it is only used during development and is used to process known CSS content. This flaw has been marked as \"wontfix\" and it may be addressed in future updates.", "threat_severity": "Moderate", "upstream_fix": "postcss 8.2.10"}