CVE-2021-41772 - Vulnerability Details

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Golang	Go
Oracle	Timesten In-memory Database
Redhat	Devtools Enterprise Linux Openshift Rhmt Serverless

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 3 [-]

cpe:2.3:a:oracle:timesten_in-memory_database:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Openshift Serveless 1.22
openshift-serverless-1/client-kn-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-controller-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-mtping-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-storage-version-migration-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-sugar-controller-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/eventing-webhook-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/ingress-rhel8-operator:1.22.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/knative-rhel8-operator:1.22.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/kn-cli-artifacts-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/kourier-control-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/net-istio-controller-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/net-istio-webhook-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serverless-operator-bundle:1.22.0-4	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serverless-rhel8-operator:1.22.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-activator-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-autoscaler-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-controller-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-domain-mapping-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-domain-mapping-webhook-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-queue-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-storage-version-migration-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/serving-webhook-rhel8:1.1.2-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1/svls-must-gather-rhel8:1.22.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1-tech-preview/eventing-kafka-broker-controller-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1-tech-preview/eventing-kafka-broker-dispatcher-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1-tech-preview/eventing-kafka-broker-receiver-rhel8:1.1.0-2	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
openshift-serverless-1-tech-preview/eventing-kafka-broker-webhook-rhel8:1.1.0-3	cpe:/a:redhat:serverless:1.22::el8	RHSA-2022:1747	2022-05-09T00:00:00Z
Openshift Serverless 1 on RHEL 8
openshift-serverless-clients-0:1.1.0-2.el8	cpe:/a:redhat:serverless:1.0::el8	RHSA-2022:1745	2022-05-09T00:00:00Z
Red Hat Developer Tools
go-toolset-1.16-0:1.16.12-1.el7_9	cpe:/a:redhat:devtools:2021	RHSA-2021:5176	2021-12-16T00:00:00Z
go-toolset-1.16-golang-0:1.16.12-1.el7_9	cpe:/a:redhat:devtools:2021	RHSA-2021:5176	2021-12-16T00:00:00Z
Red Hat Enterprise Linux 8
go-toolset:rhel8-8060020220221035359.76a129d7	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:1819	2022-05-10T00:00:00Z
Red Hat Migration Toolkit for Containers 1.7
rhmtc/openshift-migration-velero-rhel8:v1.7.1-3	cpe:/a:redhat:rhmt:1.7::el8	RHSA-2022:1734	2022-05-05T00:00:00Z
Red Hat OpenShift Container Platform 4.10
openshift-0:4.10.0-202202250816.p0.ge419edf.assembly.stream.el7	cpe:/a:redhat:openshift:4.10::el7	RHSA-2022:0055	2022-03-10T00:00:00Z
openshift-clients-0:4.10.0-202202160023.p0.gf93da17.assembly.stream.el8	cpe:/a:redhat:openshift:4.10::el7	RHSA-2022:0055	2022-03-10T00:00:00Z
openshift4/ose-grafana:v4.10.0-202202160023.p0.g48aec35.assembly.stream	cpe:/a:redhat:openshift:4.10::el8	RHSA-2022:0056	2022-03-10T00:00:00Z
openshift4/ose-installer:v4.10.0-202202240423.p0.g3b70190.assembly.stream	cpe:/a:redhat:openshift:4.10::el8	RHSA-2022:0056	2022-03-10T00:00:00Z

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
https://groups.google.com/g/golang-announce/c/0fM21h43arc
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/
https://nvd.nist.gov/vuln/detail/CVE-2021-41772
https://security.gentoo.org/glsa/202208-02
https://security.netapp.com/advisory/ntap-20211210-0003/
https://www.cve.org/CVERecord?id=CVE-2021-41772
https://www.oracle.com/security-alerts/cpujul2022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-11-08T00:00:00

Updated: 2024-08-04T03:15:29.314Z

Reserved: 2021-09-28T00:00:00

Link: CVE-2021-41772

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-08T06:15:08.107

Modified: 2024-11-21T06:26:44.223

Link: CVE-2021-41772

Redhat

Severity : Moderate

Publid Date: 2021-08-30T00:00:00Z

Links: CVE-2021-41772 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-41772", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T03:15:29.314Z", "dateReserved": "2021-09-28T00:00:00", "datePublished": "2021-11-08T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-02-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"name": "FEDORA-2021-2ef35beebf", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"name": "FEDORA-2021-2b2dd1b5a7", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc"}, {"url": "https://security.netapp.com/advisory/ntap-20211210-0003/"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:15:29.314Z"}, "title": "CVE Program Container", "references": [{"name": "FEDORA-2021-2ef35beebf", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"name": "FEDORA-2021-2b2dd1b5a7", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20211210-0003/", "tags": ["x_transferred"]}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "67AFDFB7-865E-4BA7-9698-61D354A7DE1B", "versionEndExcluding": "1.16.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "90116FE4-B419-4054-9D39-C2961CE88ED5", "versionEndExcluding": "1.17.3", "versionStartIncluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:timesten_in-memory_database:-:*:*:*:*:*:*:*", "matchCriteriaId": "EF11FA16-6BF0-49F9-B5A7-3C8ECEB62323", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field."}, {"lang": "es", "value": "Go versiones anteriores a 1.16.10 y 1.17.x versiones anteriores a 1.17.3, permite un p\u00e1nico de archivo/zip Reader.Open por medio de un archivo ZIP dise\u00f1ado que contiene un nombre no v\u00e1lido o un campo filename vac\u00edo"}], "id": "CVE-2021-41772", "lastModified": "2024-11-21T06:26:44.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-08T06:15:08.107", "references": [{"source": "cve@mitre.org", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211210-0003/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://groups.google.com/g/golang-announce/c/0fM21h43arc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211210-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/client-kn-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.22.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.22.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/kourier-control-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.22.0-4", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.22.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-activator-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-controller-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-queue-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:1.1.2-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.22.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-controller-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-dispatcher-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-receiver-rhel8:1.1.0-2", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1747", "cpe": "cpe:/a:redhat:serverless:1.22::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-webhook-rhel8:1.1.0-3", "product_name": "Openshift Serveless 1.22", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2022:1745", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:1.1.0-2.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2022-05-09T00:00:00Z"}, {"advisory": "RHSA-2021:5176", "cpe": "cpe:/a:redhat:devtools:2021", "package": "go-toolset-1.16-0:1.16.12-1.el7_9", "product_name": "Red Hat Developer Tools", "release_date": "2021-12-16T00:00:00Z"}, {"advisory": "RHSA-2021:5176", "cpe": "cpe:/a:redhat:devtools:2021", "package": "go-toolset-1.16-golang-0:1.16.12-1.el7_9", "product_name": "Red Hat Developer Tools", "release_date": "2021-12-16T00:00:00Z"}, {"advisory": "RHSA-2022:1819", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8060020220221035359.76a129d7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}, {"advisory": "RHSA-2022:1734", "cpe": "cpe:/a:redhat:rhmt:1.7::el8", "package": "rhmtc/openshift-migration-velero-rhel8:v1.7.1-3", "product_name": "Red Hat Migration Toolkit for Containers 1.7", "release_date": "2022-05-05T00:00:00Z"}, {"advisory": "RHSA-2022:0055", "cpe": "cpe:/a:redhat:openshift:4.10::el7", "impact": "low", "package": "openshift-0:4.10.0-202202250816.p0.ge419edf.assembly.stream.el7", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-03-10T00:00:00Z"}, {"advisory": "RHSA-2022:0055", "cpe": "cpe:/a:redhat:openshift:4.10::el7", "impact": "low", "package": "openshift-clients-0:4.10.0-202202160023.p0.gf93da17.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-03-10T00:00:00Z"}, {"advisory": "RHSA-2022:0056", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "impact": "low", "package": "openshift4/ose-grafana:v4.10.0-202202160023.p0.g48aec35.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-03-10T00:00:00Z"}, {"advisory": "RHSA-2022:0056", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "impact": "low", "package": "openshift4/ose-installer:v4.10.0-202202240423.p0.g3b70190.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-03-10T00:00:00Z"}], "bugzilla": {"description": "golang: archive/zip: Reader.Open panics on empty string", "id": "2020736", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020736"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "(CWE-20|CWE-125)", "details": ["Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.", "A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument."], "name": "CVE-2021-41772", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "CLI", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang-github-prometheus-node_exporter", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "impact": "low", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Not affected", "package_name": "go-toolset-1.15-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "noobaa-operator-container", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "golang-github-vbatts-tar-split", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "golang-github-vbatts-tar-split", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/clair-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-bridge-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-container-security-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-openshift-bridge-rhel8-operator", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.0::el7", "fix_state": "Not affected", "package_name": "smart-gateway-container", "product_name": "Service Telemetry Framework 1.2 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.0::el7", "fix_state": "Will not fix", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.2 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.3::el8", "fix_state": "Not affected", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.3 for RHEL 8"}], "public_date": "2021-08-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-41772\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-41772\nhttps://groups.google.com/g/golang-announce/c/0fM21h43arc"], "statement": "* In OpenShift Container Platform multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Platform.\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw's impact is lower, no update will be provided at this time for STF1.2's sg-core-container.\n* Because Red Hat Ceph Storage only uses Go's archive/zip for the Grafana CLI and thus is not directly exploitable, the vulnerability has been rated low for Red Hat Ceph Storage.", "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object