{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-04T15:11:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27918", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw", "refsource": "MISC", "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"name": "GLSA-202208-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:33:16.406Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-02"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27918", "datePublished": "2021-03-10T23:54:43", "dateReserved": "2021-03-03T00:00:00", "dateUpdated": "2024-08-03T21:33:16.406Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB004DF7-C7C5-4A2C-A0B1-5296DEBC64DD", "versionEndExcluding": "1.15.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "23643AC7-98B9-465F-B10B-C7AD4C59F77E", "versionEndExcluding": "1.16.1", "versionStartIncluding": "1.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method."}, {"lang": "es", "value": "encoding/xml en Go versiones anteriores a 1.15.9 y versiones 1.16.x anteriores a 1.16.1, presenta un bucle infinito si un TokenReader personalizado (para xml.NewTokenDecoder) devuelve EOF en medio de un elemento. Esto puede ocurrir en el m\u00e9todo Decode, DecodeElement o Skip"}], "id": "CVE-2021-27918", "lastModified": "2022-12-13T16:28:13.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-11T00:15:12.030", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/client-kn-rhel8:0.22.0-4", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/kourier-control-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.16.0-6", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-activator-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-controller-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-queue-rhel8:0.22.0-4", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.16.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/client-kn-rhel8:0.23.2-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.23.2-1", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/kourier-control-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.17.0-11", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-activator-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-controller-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-queue-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:2704", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:0.22.0-3.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:3555", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:0.23.2-1.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3076", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8040020210716085908.5081a262", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/cephcsi-rhel8:4.8-125.01872cc.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/mcg-core-rhel8:5.8.0-38.e060925.5.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/mcg-rhel8-operator:5.8.0-27.4a6ca5f.5.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/ocs-must-gather-rhel8:4.8-196.a35d7d7.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/ocs-operator-bundle:4.8.0-5", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/ocs-rhel8-operator:4.8-196.a35d7d7.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/rook-ceph-rhel8-operator:4.8-167.9a9db5f.release_4.8", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}, {"advisory": "RHBA-2021:3003", "cpe": "cpe:/a:redhat:openshift_container_storage:4.8::el8", "impact": "low", "package": "ocs4/volume-replication-rhel8-operator:4.8-20.ab575a2.release_v0.1", "product_name": "Red Hat OpenShift Container Storage 4.8.0 on RHEL-8", "release_date": "2021-08-03T00:00:00Z"}], "bugzilla": {"description": "golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader", "id": "1937901", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937901"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.", "An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with `xml.NewTokenDecoder` it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with `EOF` within it, causing the parsing application to endlessly loop, resulting in a Denial of Service (DoS)."], "name": "CVE-2021-27918", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Will not fix", "package_name": "distributed-tracing/jaeger-all-in-one-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Will not fix", "package_name": "distributed-tracing/jaeger-collector-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Will not fix", "package_name": "distributed-tracing/jaeger-rhel8-operator", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "CLI", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "knative-serving", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "golang-github-prometheus-node_exporter", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Affected", "package_name": "go-toolset-1.14-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gcc-libraries", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:1.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:2.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc-toolset-10-gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc-toolset-9-gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "cri-tools", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "container-native-virtualization/vm-import-controller-rhel8", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "hostpath-provisioner-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "hostpath-provisioner-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "hyperconverged-cluster-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "hyperconverged-cluster-webhook-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "kubevirt-cpu-model-nfd-plugin", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "kubevirt-vmware-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "node-maintenance-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "virt-cdi-apiserver-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "virt-handler-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "virt-launcher-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}], "public_date": "2021-03-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-27918\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-27918\nhttps://groups.google.com/g/golang-announce/c/MfiLYjG-RAw"], "statement": "OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization all bundle vulnerable versions of the golang standard library (stdlib). However, no component within each product utilizes the function xml.NewTokenDecoder which is a requirement to be vulnerable. Hence, all affected components are marked as \"Will not fix\". Additionally no OCP container has been listed, as nearly all available containers are compiled with an affected version of Go, but do not utilize the function xml.NewTokenDecoder.\nRed Hat Ceph Storage (RHCS), Red Hat Gluster Storage 3 and OpenShift Container Storage 4 also bundles a vulnerable version of golang standard library 'encoding/xml', but does not utilize the function xml.NewTokenDecoder, and hence this issue has been rated as having a security impact of Low.", "threat_severity": "Moderate", "upstream_fix": "go 1.15.9, go 1.16.1"}