CVE-2021-33196 - Vulnerability Details

In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Golang	Go
Redhat	Devtools Enterprise Linux Jaeger Openshift Rhmt Serverless

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Openshift Serveless 1.16
openshift-serverless-1/client-kn-rhel8:0.22.0-4	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-controller-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-mtping-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-storage-version-migration-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-sugar-controller-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/eventing-webhook-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/ingress-rhel8-operator:1.16.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/knative-rhel8-operator:1.16.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/kn-cli-artifacts-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/kourier-control-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/net-istio-controller-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/net-istio-webhook-rhel8:0.22.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serverless-operator-bundle:1.16.0-6	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serverless-rhel8-operator:1.16.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-activator-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-autoscaler-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-controller-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-domain-mapping-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-queue-rhel8:0.22.0-4	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-storage-version-migration-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/serving-webhook-rhel8:0.22.0-3	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
openshift-serverless-1/svls-must-gather-rhel8:1.16.0-2	cpe:/a:redhat:serverless:1.16::el8	RHSA-2021:2705	2021-07-13T00:00:00Z
Openshift Serverless 1.17
openshift-serverless-1/client-kn-rhel8:0.23.2-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-controller-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-mtping-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-storage-version-migration-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-sugar-controller-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/eventing-webhook-rhel8:0.23.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/ingress-rhel8-operator:1.17.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/knative-rhel8-operator:1.17.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/kn-cli-artifacts-rhel8:0.23.2-1	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/kourier-control-rhel8:0.23.0-4	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/net-istio-controller-rhel8:0.23.0-4	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/net-istio-webhook-rhel8:0.23.0-4	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serverless-operator-bundle:1.17.0-11	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serverless-rhel8-operator:1.17.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-activator-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-autoscaler-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-controller-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-domain-mapping-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-queue-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-storage-version-migration-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/serving-webhook-rhel8:0.23.1-2	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
openshift-serverless-1/svls-must-gather-rhel8:1.17.0-5	cpe:/a:redhat:serverless:1.17::el8	RHSA-2021:3556	2021-09-16T00:00:00Z
Openshift Serverless 1 on RHEL 8
openshift-serverless-clients-0:0.22.0-3.el8	cpe:/a:redhat:serverless:1.0::el8	RHSA-2021:2704	2021-07-13T00:00:00Z
openshift-serverless-clients-0:0.23.2-1.el8	cpe:/a:redhat:serverless:1.0::el8	RHSA-2021:3555	2021-09-16T00:00:00Z
Red Hat Developer Tools
go-toolset-1.15-0:1.15.13-1.el7_9	cpe:/a:redhat:devtools:2021	RHSA-2021:2634	2021-07-01T00:00:00Z
go-toolset-1.15-golang-0:1.15.13-1.el7_9	cpe:/a:redhat:devtools:2021	RHSA-2021:2634	2021-07-01T00:00:00Z
Red Hat Enterprise Linux 8
go-toolset:rhel8-8040020210716085908.5081a262	cpe:/a:redhat:enterprise_linux:8	RHSA-2021:3076	2021-08-10T00:00:00Z
Red Hat Migration Toolkit for Containers 1.5
rhmtc/openshift-migration-velero-rhel8:v1.5.1-4	cpe:/a:redhat:rhmt:1.5::el8	RHSA-2021:3361	2021-08-31T00:00:00Z
Red Hat OpenShift Container Platform 4.8
cri-o-0:1.21.2-8.rhaos4.8.git8d4264e.el8	cpe:/a:redhat:openshift:4.8::el7	RHSA-2021:2984	2021-08-10T00:00:00Z
openshift-clients-0:4.8.0-202107292313.p0.git.1077b05.assembly.stream.el8	cpe:/a:redhat:openshift:4.8::el7	RHSA-2021:2984	2021-08-10T00:00:00Z
openshift4/ose-console:v4.8.0-202107301422.p0.git.5045bcb.assembly.stream	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:2983	2021-08-10T00:00:00Z
openshift4/ose-grafana:v4.8.0-202107291502.p0.git.b987e4b.assembly.stream	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:2983	2021-08-10T00:00:00Z
openshift4/ose-installer:v4.8.0-202107291502.p0.git.1831f62.assembly.stream	cpe:/a:redhat:openshift:4.8::el8	RHSA-2021:2983	2021-08-10T00:00:00Z
Red Hat OpenShift Container Platform 4.9
openshift-0:4.9.0-202110080828.p0.git.894a78b.assembly.stream.el8	cpe:/a:redhat:openshift:4.9::el7	RHSA-2021:3758	2021-10-18T00:00:00Z
Red Hat OpenShift Jaeger 1.20
distributed-tracing/jaeger-agent-rhel8:1.20.5-6	cpe:/a:redhat:jaeger:1.20::el8	RHSA-2021:3229	2021-08-19T00:00:00Z
distributed-tracing/jaeger-all-in-one-rhel8:1.20.5-3	cpe:/a:redhat:jaeger:1.20::el8	RHSA-2021:3229	2021-08-19T00:00:00Z
distributed-tracing/jaeger-collector-rhel8:1.20.5-5	cpe:/a:redhat:jaeger:1.20::el8	RHSA-2021:3229	2021-08-19T00:00:00Z
distributed-tracing/jaeger-ingester-rhel8:1.20.5-6	cpe:/a:redhat:jaeger:1.20::el8	RHSA-2021:3229	2021-08-19T00:00:00Z
distributed-tracing/jaeger-query-rhel8:1.20.5-3	cpe:/a:redhat:jaeger:1.20::el8	RHSA-2021:3229	2021-08-19T00:00:00Z
distributed-tracing/jaeger-rhel8-operator:1.20.5-5	cpe:/a:redhat:jaeger:1.20::el8	RHSA-2021:3229	2021-08-19T00:00:00Z

References

Link	Providers
https://groups.google.com/g/golang-announce
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html
https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://nvd.nist.gov/vuln/detail/CVE-2021-33196
https://security.gentoo.org/glsa/202208-02
https://www.cve.org/CVERecord?id=CVE-2021-33196

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-02T00:00:00

Updated: 2024-08-03T23:42:20.269Z

Reserved: 2021-05-19T00:00:00

Link: CVE-2021-33196

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-02T19:15:08.457

Modified: 2024-11-21T06:08:29.710

Link: CVE-2021-33196

Redhat

Severity : Moderate

Publid Date: 2021-05-25T00:00:00Z

Links: CVE-2021-33196 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-33196", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T23:42:20.269Z", "dateReserved": "2021-05-19T00:00:00", "datePublished": "2021-08-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-04-19T00:00:00"}, "descriptions": [{"lang": "en", "value": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce"}, {"url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"}, {"name": "[debian-lts-announce] 20220121 [SECURITY] [DLA 2891-1] golang-1.8 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html"}, {"name": "[debian-lts-announce] 20220121 [SECURITY] [DLA 2892-1] golang-1.7 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"name": "[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:42:20.269Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/g/golang-announce", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20220121 [SECURITY] [DLA 2891-1] golang-1.8 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html"}, {"name": "[debian-lts-announce] 20220121 [SECURITY] [DLA 2892-1] golang-1.7 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"name": "[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "83DF0007-D86B-419A-8722-A8C8C3313684", "versionEndExcluding": "1.15.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBF475E5-A5BF-49FF-89A3-F7C7E0051E8F", "versionEndExcluding": "1.16.5", "versionStartIncluding": "1.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic."}, {"lang": "es", "value": "En archive/zip en Go versiones anteriores a 1.15.13 y versiones 1.16.x anteriores a 1.16.5, un recuento de archivos crafteado (en la cabecera de un archivo) puede causar un p\u00e1nico en NewReader u OpenReader."}], "id": "CVE-2021-33196", "lastModified": "2024-11-21T06:08:29.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-02T19:15:08.457", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/client-kn-rhel8:0.22.0-4", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/ingress-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/knative-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/kourier-control-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/net-istio-controller-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/net-istio-webhook-rhel8:0.22.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serverless-operator-bundle:1.16.0-6", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serverless-rhel8-operator:1.16.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-activator-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-controller-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-queue-rhel8:0.22.0-4", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/serving-webhook-rhel8:0.22.0-3", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:2705", "cpe": "cpe:/a:redhat:serverless:1.16::el8", "impact": "low", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.16.0-2", "product_name": "Openshift Serveless 1.16", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/client-kn-rhel8:0.23.2-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.23.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/ingress-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/knative-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.23.2-1", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/kourier-control-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/net-istio-controller-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/net-istio-webhook-rhel8:0.23.0-4", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serverless-operator-bundle:1.17.0-11", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serverless-rhel8-operator:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-activator-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-controller-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-queue-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/serving-webhook-rhel8:0.23.1-2", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:3556", "cpe": "cpe:/a:redhat:serverless:1.17::el8", "impact": "low", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.17.0-5", "product_name": "Openshift Serverless 1.17", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:2704", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "impact": "low", "package": "openshift-serverless-clients-0:0.22.0-3.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2021-07-13T00:00:00Z"}, {"advisory": "RHSA-2021:3555", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "impact": "low", "package": "openshift-serverless-clients-0:0.23.2-1.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2021-09-16T00:00:00Z"}, {"advisory": "RHSA-2021:2634", "cpe": "cpe:/a:redhat:devtools:2021", "package": "go-toolset-1.15-0:1.15.13-1.el7_9", "product_name": "Red Hat Developer Tools", "release_date": "2021-07-01T00:00:00Z"}, {"advisory": "RHSA-2021:2634", "cpe": "cpe:/a:redhat:devtools:2021", "package": "go-toolset-1.15-golang-0:1.15.13-1.el7_9", "product_name": "Red Hat Developer Tools", "release_date": "2021-07-01T00:00:00Z"}, {"advisory": "RHSA-2021:3076", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8040020210716085908.5081a262", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:3361", "cpe": "cpe:/a:redhat:rhmt:1.5::el8", "package": "rhmtc/openshift-migration-velero-rhel8:v1.5.1-4", "product_name": "Red Hat Migration Toolkit for Containers 1.5", "release_date": "2021-08-31T00:00:00Z"}, {"advisory": "RHSA-2021:2984", "cpe": "cpe:/a:redhat:openshift:4.8::el7", "impact": "low", "package": "cri-o-0:1.21.2-8.rhaos4.8.git8d4264e.el8", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:2984", "cpe": "cpe:/a:redhat:openshift:4.8::el7", "impact": "low", "package": "openshift-clients-0:4.8.0-202107292313.p0.git.1077b05.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:2983", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "impact": "low", "package": "openshift4/ose-console:v4.8.0-202107301422.p0.git.5045bcb.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:2983", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "impact": "low", "package": "openshift4/ose-grafana:v4.8.0-202107291502.p0.git.b987e4b.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:2983", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "impact": "low", "package": "openshift4/ose-installer:v4.8.0-202107291502.p0.git.1831f62.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:3758", "cpe": "cpe:/a:redhat:openshift:4.9::el7", "impact": "low", "package": "openshift-0:4.9.0-202110080828.p0.git.894a78b.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2021-10-18T00:00:00Z"}, {"advisory": "RHSA-2021:3229", "cpe": "cpe:/a:redhat:jaeger:1.20::el8", "impact": "low", "package": "distributed-tracing/jaeger-agent-rhel8:1.20.5-6", "product_name": "Red Hat OpenShift Jaeger 1.20", "release_date": "2021-08-19T00:00:00Z"}, {"advisory": "RHSA-2021:3229", "cpe": "cpe:/a:redhat:jaeger:1.20::el8", "impact": "low", "package": "distributed-tracing/jaeger-all-in-one-rhel8:1.20.5-3", "product_name": "Red Hat OpenShift Jaeger 1.20", "release_date": "2021-08-19T00:00:00Z"}, {"advisory": "RHSA-2021:3229", "cpe": "cpe:/a:redhat:jaeger:1.20::el8", "impact": "low", "package": "distributed-tracing/jaeger-collector-rhel8:1.20.5-5", "product_name": "Red Hat OpenShift Jaeger 1.20", "release_date": "2021-08-19T00:00:00Z"}, {"advisory": "RHSA-2021:3229", "cpe": "cpe:/a:redhat:jaeger:1.20::el8", "impact": "low", "package": "distributed-tracing/jaeger-ingester-rhel8:1.20.5-6", "product_name": "Red Hat OpenShift Jaeger 1.20", "release_date": "2021-08-19T00:00:00Z"}, {"advisory": "RHSA-2021:3229", "cpe": "cpe:/a:redhat:jaeger:1.20::el8", "impact": "low", "package": "distributed-tracing/jaeger-query-rhel8:1.20.5-3", "product_name": "Red Hat OpenShift Jaeger 1.20", "release_date": "2021-08-19T00:00:00Z"}, {"advisory": "RHSA-2021:3229", "cpe": "cpe:/a:redhat:jaeger:1.20::el8", "impact": "low", "package": "distributed-tracing/jaeger-rhel8-operator:1.20.5-5", "product_name": "Red Hat OpenShift Jaeger 1.20", "release_date": "2021-08-19T00:00:00Z"}], "bugzilla": {"description": "golang: archive/zip: malformed archive may cause panic or memory exhaustion", "id": "1965503", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965503"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.", "A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files."], "name": "CVE-2021-33196", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "impact": "low", "package_name": "CLI", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "impact": "low", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "rox", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang-github-prometheus-node_exporter", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:1.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:2.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Fix deferred", "impact": "low", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "bridge-marker-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "cluster-network-addons-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "cnv-containernetworking-plugins-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "cnv-must-gather-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "container-native-virtualization/kubevirt-cpu-node-labeller", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "container-native-virtualization/vm-import-controller-rhel8", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hostpath-provisioner-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hostpath-provisioner-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hyperconverged-cluster-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hyperconverged-cluster-webhook-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubemacpool-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubernetes-nmstate-handler-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-ssp-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-template-validator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-vmware-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "node-maintenance-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "ovs-cni-marker-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "ovs-cni-plugin-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-api-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-apiserver-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-cloner-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-controller-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-importer-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-uploadproxy-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-uploadserver-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-controller-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-handler-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-launcher-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "vm-import-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "vm-import-virtv2v-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "golang-github-vbatts-tar-split", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "golang-github-vbatts-tar-split", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.0::el7", "fix_state": "Will not fix", "package_name": "smart-gateway-container", "product_name": "Service Telemetry Framework 1.2 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.0::el7", "fix_state": "Will not fix", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.2 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.3::el8", "fix_state": "Will not fix", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.3 for RHEL 8"}], "public_date": "2021-05-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-33196\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33196\nhttps://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"], "statement": "* In OpenShift Container Platform and OpenShift Service Mesh, multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Plaform and OpenShift Service Mesh.\n* Although OpenShift distributed tracing (formerly OpenShift Jaeger) components are compiled with a vulnerable version of Go, the vulnerable archive/zip package is currently not used by this product therefore these components are affected but with impact Low. Additionally only core OpenShift distributed tracing components have been listed.\n* Although Serverless does ship the affected package, it does not make use of the actual package and hence the impact is low.\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw's impact is lower, no update will be provided at this time for STF1.2's smart-gateway-container and sg-core-container.", "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object