{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-04T15:11:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27918", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw", "refsource": "MISC", "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"name": "GLSA-202208-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:33:16.406Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-02"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27918", "datePublished": "2021-03-10T23:54:43", "dateReserved": "2021-03-03T00:00:00", "dateUpdated": "2024-08-03T21:33:16.406Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB004DF7-C7C5-4A2C-A0B1-5296DEBC64DD", "versionEndExcluding": "1.15.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "23643AC7-98B9-465F-B10B-C7AD4C59F77E", "versionEndExcluding": "1.16.1", "versionStartIncluding": "1.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method."}, {"lang": "es", "value": "encoding/xml en Go versiones anteriores a 1.15.9 y versiones 1.16.x anteriores a 1.16.1, presenta un bucle infinito si un TokenReader personalizado (para xml.NewTokenDecoder) devuelve EOF en medio de un elemento. Esto puede ocurrir en el m\u00e9todo Decode, DecodeElement o Skip"}], "id": "CVE-2021-27918", "lastModified": "2024-11-21T05:58:48.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-11T00:15:12.030", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/client-kn-rhel8:0.22.0-4", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/kourier-control-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.16.0-6", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-activator-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-controller-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-queue-rhel8:0.22.0-4", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.16.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/client-kn-rhel8:0.23.2-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.23.2-1", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/kourier-control-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.17.0-11", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-activator-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-controller-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-queue-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:2704", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:0.22.0-3.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:3555", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:0.23.2-1.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3076", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8040020210716085908.5081a262", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/cephcsi-rhel8:4.8-125.01872cc.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/mcg-core-rhel8:5.8.0-38.e060925.5.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/mcg-rhel8-operator:5.8.0-27.4a6ca5f.5.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/ocs-must-gather-rhel8:4.8-196.a35d7d7.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/ocs-operator-bundle:4.8.0-5", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/ocs-rhel8-operator:4.8-196.a35d7d7.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/rook-ceph-rhel8-operator:4.8-167.9a9db5f.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/volume-replication-rhel8-operator:4.8-20.ab575a2.release_v0.1", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}], "bugzilla": {"description": "golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader", "id": "1937901", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937901"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.", "An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with `xml.NewTokenDecoder` it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with `EOF` within it, causing the parsing application to endlessly loop, resulting in a Denial of Service (DoS)."], "name": "CVE-2021-27918", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Will not fix", "package_name": "distributed-tracing/jaeger-all-in-one-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Will not fix", "package_name": "distributed-tracing/jaeger-collector-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Will not fix", "package_name": "distributed-tracing/jaeger-rhel8-operator", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "CLI", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "knative-serving", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "golang-github-prometheus-node_exporter", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Affected", "package_name": "go-toolset-1.14-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gcc-libraries", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:1.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:2.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc-toolset-10-gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc-toolset-9-gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "cri-tools", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "container-native-virtualization/vm-import-controller-rhel8", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "hostpath-provisioner-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "hostpath-provisioner-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "hyperconverged-cluster-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "hyperconverged-cluster-webhook-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "kubevirt-cpu-model-nfd-plugin", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "kubevirt-vmware-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "node-maintenance-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "virt-cdi-apiserver-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "virt-handler-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "virt-launcher-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}], "public_date": "2021-03-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-27918\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-27918\nhttps://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"], "statement": "OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization all bundle vulnerable versions of the golang standard library (stdlib). However, no component within each product utilizes the function xml.NewTokenDecoder which is a requirement to be vulnerable. Hence, all affected components are marked as \"Will not fix\". Additionally no OCP container has been listed, as nearly all available containers are compiled with an affected version of Go, but do not utilize the function xml.NewTokenDecoder.\nRed Hat Ceph Storage (RHCS), Red Hat Gluster Storage 3 and OpenShift Container Storage 4 also bundles a vulnerable version of golang standard library 'encoding/xml', but does not utilize the function xml.NewTokenDecoder, and hence this issue has been rated as having a security impact of Low.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform enforces hardening guidelines to ensure the most restrictive setting needed for operational requirements. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention. This process ensures that audit logs are generated for specific events involving sensitive information, enabling capabilities like excessive CPU usage, long execution times, or processes consuming abnormal amounts of memory. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing infinite loops caused by malformed or unexpected input, such as unbounded user input or unexpected null values that cause loops to never terminate. In the event of successful exploitation, process isolation limits the effect of an infinite loop to a single process rather than allowing it to consume all system resources.", "threat_severity": "Moderate"}

{}