CVE-2024-21536 - Vulnerability Details

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Chimurai	Http-proxy-middleware
Redhat	Advanced Cluster Security Discovery Openshift Distributed Tracing Rhdh Service Mesh Trusted Profile Analyzer

Configuration 1 [-]

OR	cpe:2.3:a:chimurai:http-proxy-middleware::::::::
	cpe:2.3:a:chimurai:http-proxy-middleware::::::::

Package	CPE	Advisory	Released Date
Discovery 1 for RHEL 9
discovery/discovery-server-rhel9:1.12.0-1	cpe:/o:redhat:discovery:1.0::el9	RHSA-2025:1249	2025-02-10T00:00:00Z
discovery/discovery-ui-rhel9:1.12.0-1	cpe:/o:redhat:discovery:1.0::el9	RHSA-2025:1249	2025-02-10T00:00:00Z
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-central-db-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.9-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:3928	2025-04-15T00:00:00Z
Red Hat Advanced Cluster Security 4.6
advanced-cluster-security/rhacs-central-db-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.5-1	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3929	2025-04-15T00:00:00Z
Red Hat Advanced Cluster Security 4.7
advanced-cluster-security/rhacs-central-db-rhel8:4.7.2-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.7.2-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.7.2-3	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.7.2-4	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.7.2-1	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.7.2-1	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.7.2-1	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.7.2-1	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.7.2-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.7.2-1	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.7.2-1	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.2-3	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3930	2025-04-15T00:00:00Z
Red Hat Developer Hub 1.3 on RHEL 9
rhdh/rhdh-hub-rhel9:1.3-124	cpe:/a:redhat:rhdh:1.3::el9	RHBA-2024:9054	2024-11-11T00:00:00Z
Red Hat OpenShift Service Mesh 2.6 for RHEL 8
openshift-service-mesh/grafana-rhel8:2.6.3-2	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:9627	2024-11-14T00:00:00Z
openshift-service-mesh/istio-cni-rhel8:2.6.3-4	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:9627	2024-11-14T00:00:00Z
openshift-service-mesh/istio-must-gather-rhel8:2.6.3-3	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:9627	2024-11-14T00:00:00Z
openshift-service-mesh/istio-rhel8-operator:2.6.3-5	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:9627	2024-11-14T00:00:00Z
openshift-service-mesh/kiali-rhel8-operator:1.89.7-1	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:9627	2024-11-14T00:00:00Z
openshift-service-mesh/pilot-rhel8:2.6.3-4	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:9627	2024-11-14T00:00:00Z
openshift-service-mesh/ratelimit-rhel8:2.6.3-4	cpe:/a:redhat:service_mesh:2.6::el8	RHSA-2024:9627	2024-11-14T00:00:00Z
Red Hat OpenShift Service Mesh 2.6 for RHEL 9
openshift-service-mesh/proxyv2-rhel9:2.6.3-6	cpe:/a:redhat:service_mesh:2.6::el9	RHSA-2024:9627	2024-11-14T00:00:00Z
Red Hat Developer Hub (RHDH) 1.4
registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3	cpe:/a:redhat:rhdh:1.4::el9	RHBA-2024:11265	2024-12-17T00:00:00Z
Red Hat OpenShift distributed tracing 3.4
registry.redhat.io/rhosdt/jaeger-query-rhel8:sha256:648d95c1a6736055910cd901c7e80d82d0e8bad71531373293144d0d6682b994	cpe:/a:redhat:openshift_distributed_tracing:3.4::el8	RHSA-2024:10917	2024-12-10T00:00:00Z
registry.redhat.io/rhosdt/jaeger-query-rhel8:sha256:8d0e9eb0894de1289dfa9556cf9411874df3111f3e84471256de6b2d75ecd829	cpe:/a:redhat:openshift_distributed_tracing:3.4::el8	RHSA-2024:10962	2024-12-11T00:00:00Z
Red Hat Trusted Profile Analyzer 1.2
registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2024:11255	2024-12-17T00:00:00Z
registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2024:11256	2024-12-17T00:00:00Z

References

Link	Providers
https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a
https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5
https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22
https://nvd.nist.gov/vuln/detail/CVE-2024-21536
https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906
https://www.cve.org/CVERecord?id=CVE-2024-21536

History

Wed, 16 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat advanced Cluster Security
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8 cpe:/a:redhat:advanced_cluster_security:4.6::el8 cpe:/a:redhat:advanced_cluster_security:4.7::el8
Vendors & Products		Redhat advanced Cluster Security

Thu, 20 Mar 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhdh:1.3::el9

Fri, 14 Feb 2025 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhdh
CPEs		cpe:/a:redhat:rhdh:1.4::el9
Vendors & Products		Redhat rhdh

Thu, 13 Feb 2025 00:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat discovery
CPEs		cpe:/o:redhat:discovery:1.0::el9
Vendors & Products		Redhat discovery

Tue, 17 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat trusted Profile Analyzer
CPEs		cpe:/a:redhat:trusted_profile_analyzer:1.2::el9
Vendors & Products		Redhat trusted Profile Analyzer

Thu, 12 Dec 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Distributed Tracing
CPEs		cpe:/a:redhat:openshift_distributed_tracing:3.4::el8
Vendors & Products		Redhat openshift Distributed Tracing

Sat, 16 Nov 2024 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat service Mesh
CPEs		cpe:/a:redhat:service_mesh:2.6::el8 cpe:/a:redhat:service_mesh:2.6::el9
Vendors & Products		Redhat Redhat service Mesh

Fri, 01 Nov 2024 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Mon, 21 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chimurai Chimurai http-proxy-middleware
CPEs		cpe:2.3:a:chimurai:http-proxy-middleware::::::::
Vendors & Products		Chimurai Chimurai http-proxy-middleware
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 21 Oct 2024 13:30:00 +0000

Type	Values Removed	Values Added
Title		http-proxy-middleware: Denial of Service
References		https://nvd.nist.gov/vuln/detail/CVE-2024-21536 https://www.cve.org/CVERecord?id=CVE-2024-21536
Metrics	threat_severity `None`	threat_severity `Moderate`

Sat, 19 Oct 2024 05:15:00 +0000

Type	Values Removed	Values Added
Description		Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Weaknesses		CWE-400
References		https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5 https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22 https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P'}`

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2024-10-19T05:00:04.056Z

Updated: 2024-10-21T16:31:29.125Z

Reserved: 2023-12-22T12:33:20.123Z

Link: CVE-2024-21536

Vulnrichment

Updated: 2024-10-21T15:47:24.380Z

NVD

Status : Analyzed

Published: 2024-10-19T05:15:13.097

Modified: 2024-11-01T18:03:15.897

Link: CVE-2024-21536

Redhat

Severity : Moderate

Publid Date: 2024-10-19T05:00:04Z

Links: CVE-2024-21536 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21536", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.123Z", "datePublished": "2024-10-19T05:00:04.056Z", "dateUpdated": "2024-10-21T16:31:29.125Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"}}], "credits": [{"value": "Marc Hassan", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Denial of Service (DoS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-10-21T11:22:36.064Z"}, "descriptions": [{"value": "Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"}, {"url": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a"}, {"url": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22"}, {"url": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5"}], "affected": [{"product": "http-proxy-middleware", "versions": [{"version": "0", "lessThan": "2.0.7", "status": "affected", "versionType": "semver"}, {"version": "3.0.0", "lessThan": "3.0.3", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"affected": [{"vendor": "chimurai", "product": "http-proxy-middleware", "cpes": ["cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.0.7", "versionType": "semver"}, {"version": "3.0.0", "status": "affected", "lessThan": "3.0.3", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-21T15:20:45.568615Z", "id": "CVE-2024-21536", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T16:31:29.125Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21536", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-21T15:20:45.568615Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*"], "vendor": "chimurai", "product": "http-proxy-middleware", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.7", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.0.3", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T15:47:24.380Z"}}], "cna": {"credits": [{"lang": "en", "value": "Marc Hassan"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "http-proxy-middleware", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.7", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.0.3", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"}, {"url": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a"}, {"url": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22"}, {"url": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5"}], "descriptions": [{"lang": "en", "value": "Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-400", "description": "Denial of Service (DoS)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-10-21T11:22:36.064Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21536", "state": "PUBLISHED", "dateUpdated": "2024-10-21T16:31:29.125Z", "dateReserved": "2023-12-22T12:33:20.123Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-10-19T05:00:04.056Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1C31D2C-0CB7-4D28-8658-42632A65F7F3", "versionEndExcluding": "2.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:chimurai:http-proxy-middleware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A89EB4F5-1978-4172-A52D-8504F87E110E", "versionEndExcluding": "3.0.3", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths."}, {"lang": "es", "value": "Las versiones del paquete http-proxy-middleware anteriores a la 2.0.7, a la 3.0.0 y a la 3.0.3 es vulnerable a un ataque de denegaci\u00f3n de servicio (DoS) debido a un error UnhandledPromiseRejection generado por micromatch. Un atacante podr\u00eda matar el proceso Node.js y bloquear el servidor al realizar solicitudes a determinadas rutas."}], "id": "CVE-2024-21536", "lastModified": "2024-11-01T18:03:15.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-10-19T05:15:13.097", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1249", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-server-rhel9:1.12.0-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-10T00:00:00Z"}, {"advisory": "RHSA-2025:1249", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-ui-rhel9:1.12.0-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-10T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3928", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.9-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3929", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.5-1", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.7.2-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.7.2-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.7.2-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.7.2-4", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.7.2-1", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.7.2-1", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.7.2-1", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.7.2-1", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.7.2-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.7.2-1", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.7.2-1", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHSA-2025:3930", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.2-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-15T00:00:00Z"}, {"advisory": "RHBA-2024:9054", "cpe": "cpe:/a:redhat:rhdh:1.3::el9", "package": "rhdh/rhdh-hub-rhel9:1.3-124", "product_name": "Red Hat Developer Hub 1.3 on RHEL 9", "release_date": "2024-11-11T00:00:00Z"}, {"advisory": "RHSA-2024:9627", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/grafana-rhel8:2.6.3-2", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9627", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.6.3-4", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9627", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.6.3-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9627", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-rhel8-operator:2.6.3-5", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9627", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/kiali-rhel8-operator:1.89.7-1", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9627", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/pilot-rhel8:2.6.3-4", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9627", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.6.3-4", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9627", "cpe": "cpe:/a:redhat:service_mesh:2.6::el9", "package": "openshift-service-mesh/proxyv2-rhel9:2.6.3-6", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 9", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHBA-2024:11265", "cpe": "cpe:/a:redhat:rhdh:1.4::el9", "package": "registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:48edcf6f736e17f33d3630ce2fddc19e95316b7824a7af24e9f0df48ac4f4fe3", "product_name": "Red Hat Developer Hub (RHDH) 1.4", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:10917", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.4::el8", "package": "registry.redhat.io/rhosdt/jaeger-query-rhel8:sha256:648d95c1a6736055910cd901c7e80d82d0e8bad71531373293144d0d6682b994", "product_name": "Red Hat OpenShift distributed tracing 3.4", "release_date": "2024-12-10T00:00:00Z"}, {"advisory": "RHSA-2024:10962", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.4::el8", "package": "registry.redhat.io/rhosdt/jaeger-query-rhel8:sha256:8d0e9eb0894de1289dfa9556cf9411874df3111f3e84471256de6b2d75ecd829", "product_name": "Red Hat OpenShift distributed tracing 3.4", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:11255", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:11256", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2024-12-17T00:00:00Z"}], "bugzilla": {"description": "http-proxy-middleware: Denial of Service", "id": "2319884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319884"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.", "A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths."], "mitigation": {"lang": "en:us", "value": "Red Hat Product Security does not have any mitigation recommendations at this time."}, "name": "CVE-2024-21536", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "io.cryostat-cryostat3", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/logging-view-plugin-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Affected", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Affected", "package_name": "rhmtc/openshift-migration-ui-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/multicluster-engine-console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Will not fix", "package_name": "workload-availability/node-remediation-console-rhel8", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed-beta/lightspeed-console-plugin-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed-tech-preview/lightspeed-console-plugin-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-console-plugin-rhel8-container", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Will not fix", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Will not fix", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "org.kie.kogito-kogito-apps", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "io.hawt-project", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "io.apicurio-apicurio-registry", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "org.optaweb.vehiclerouting-optaweb-vehicle-routing", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:hybrid_cloud_gateway:1::el9", "fix_state": "Affected", "package_name": "rhcl-console-plugin-container", "product_name": "Red Hat Connectivity Link"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "org.infinispan-infinispan-console", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "io.apicurio-apicurito", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "io.syndesis-syndesis-parent", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "io.syndesis-syndesis-ui", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "io.apicurio-apicurio-registry", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Affected", "package_name": "org.infinispan-infinispan-management-console", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Will not fix", "package_name": "odh-dashboard-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Will not fix", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/nmstate-console-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-monitoring-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-networking-console-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-console-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "rhods/odh-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Will not fix", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Will not fix", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Will not fix", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/console-plugin-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-argocd-rhel9-container", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.uberfire-uberfire-parent", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2024-10-19T05:00:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21536\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21536\nhttps://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a\nhttps://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5\nhttps://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22\nhttps://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object