{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45590", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-02T16:00:02.422Z", "datePublished": "2024-09-10T15:54:02.330Z", "dateUpdated": "2024-09-10T18:47:22.965Z"}, "containers": {"cna": {"title": "body-parser vulnerable to denial of service when url encoding is enabled", "problemTypes": [{"descriptions": [{"cweId": "CWE-405", "lang": "en", "description": "CWE-405: Asymmetric Resource Consumption (Amplification)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7"}, {"name": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", "tags": ["x_refsource_MISC"], "url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce"}], "affected": [{"vendor": "expressjs", "product": "body-parser", "versions": [{"version": "< 1.20.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-10T15:54:02.330Z"}, "descriptions": [{"lang": "en", "value": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3."}], "source": {"advisory": "GHSA-qwcr-r2fm-qrc7", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "expressjs", "product": "body-parser", "cpes": ["cpe:2.3:a:expressjs:body-parser:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.20.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-10T18:42:41.773305Z", "id": "CVE-2024-45590", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T18:47:22.965Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45590", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T18:42:41.773305Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:expressjs:body-parser:*:*:*:*:*:*:*:*"], "vendor": "expressjs", "product": "body-parser", "versions": [{"status": "affected", "version": "0", "lessThan": "1.20.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T18:45:10.928Z"}}], "cna": {"title": "body-parser vulnerable to denial of service when url encoding is enabled", "source": {"advisory": "GHSA-qwcr-r2fm-qrc7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "expressjs", "product": "body-parser", "versions": [{"status": "affected", "version": "< 1.20.3"}]}], "references": [{"url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", "name": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", "name": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-405", "description": "CWE-405: Asymmetric Resource Consumption (Amplification)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-10T15:54:02.330Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45590", "state": "PUBLISHED", "dateUpdated": "2024-09-10T18:47:22.965Z", "dateReserved": "2024-09-02T16:00:02.422Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-10T15:54:02.330Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openjsf:body-parser:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "42A6B188-985D-4F15-B31B-46D67F4E3F07", "versionEndExcluding": "1.20.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3."}, {"lang": "es", "value": "body-parser es un middleware de an\u00e1lisis de cuerpo de Node.js. body-parser en versiones anteriores a la 1.20.3 es vulnerable a la denegaci\u00f3n de servicio cuando la codificaci\u00f3n de URL est\u00e1 habilitada. Un actor malintencionado que utilice un payload especialmente manipulado podr\u00eda inundar el servidor con una gran cantidad de solicitudes, lo que provocar\u00eda una denegaci\u00f3n de servicio. Este problema se solucion\u00f3 en la versi\u00f3n 1.20.3."}], "id": "CVE-2024-45590", "lastModified": "2024-09-20T16:26:44.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-10T16:15:21.083", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-405"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-cli-rhel9:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-console-plugin-rhel9:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-ebpf-agent-rhel9:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-flowlogs-pipeline-rhel9:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-operator-bundle:1.7.0-86", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8014", "cpe": "cpe:/a:redhat:network_observ_optr:1.7.0::el9", "package": "network-observability/network-observability-rhel9-operator:v1.7.0-67", "product_name": "NETWORK-OBSERVABILITY-1.7.0-RHEL-9", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:9583", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.4.6-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/dex-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/kam-delivery-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.12.6-2", "product_name": "Red Hat OpenShift GitOps 1.12", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8677", "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el9", "package": "openshift-gitops-argocd-rhel9-container-v1.12.6-1", "product_name": "Red Hat OpenShift GitOps 1.12 - RHEL 9", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/dex-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/kam-delivery-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.13.2-4", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8581", "cpe": "cpe:/a:redhat:openshift_gitops:1.13::el8", "package": "openshift-gitops-argocd-rhel9-container-v1.13.2-5", "product_name": "Red Hat OpenShift GitOps 1.13", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/grafana-rhel8:2.5.5-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.5.5-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.5.5-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-ossmc-rhel8:1.73.14-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8:1.73.15-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/pilot-rhel8:2.5.5-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.5.5-6", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7725", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.5.5-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/grafana-rhel8:2.6.2-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.6.2-5", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.6.2-4", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/istio-rhel8-operator:2.6.2-5", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/kiali-ossmc-rhel8:1.89.2-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/kiali-rhel8:1.89.4-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/kiali-rhel8-operator:1.89.6-1", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/pilot-rhel8:2.6.2-5", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.6.2-3", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:7726", "cpe": "cpe:/a:redhat:service_mesh:2.6::el9", "package": "openshift-service-mesh/proxyv2-rhel9:2.6.2-7", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 9", "release_date": "2024-10-07T00:00:00Z"}, {"advisory": "RHSA-2024:8113", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package": "odf4/mcg-core-rhel9:v4.16.3-1", "product_name": "RHODF-4.16-RHEL-9", "release_date": "2024-10-15T00:00:00Z"}, {"advisory": "RHSA-2024:8676", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package": "odf4/mcg-core-rhel9:v4.17.0-69", "product_name": "RHODF-4.17-RHEL-9", "release_date": "2024-10-30T00:00:00Z"}], "bugzilla": {"description": "body-parser: Denial of Service Vulnerability in body-parser", "id": "2311171", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311171"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-405", "details": ["body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", "A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45590", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "body-parser", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/logging-view-plugin-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Affected", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Affected", "package_name": "rhmtc/openshift-migration-ui-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Affected", "package_name": "body-parser", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/console-mce-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/multicluster-engine-console-mce-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Will not fix", "package_name": "workload-availability/node-remediation-console-rhel8", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed:0.2", "fix_state": "Affected", "package_name": "openshift-lightspeed-beta/lightspeed-console-plugin-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-console-plugin-rhel8-container", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "body-parser", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Will not fix", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-lightspeed-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "body-parser", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:discovery:1.0::el8", "fix_state": "Affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "body-parser", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-dashboard-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/ose-console", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/nmstate-console-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-monitoring-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-networking-console-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-console-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-console-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Not affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "body-parser", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:trusted_profile_analyzer:1", "fix_state": "Affected", "package_name": "rhtpa/rhtpa-trustification-service-rhel9", "product_name": "Red Hat Trusted Profile Analyzer"}], "public_date": "2024-09-10T16:15:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45590\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45590\nhttps://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\nhttps://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7"], "threat_severity": "Important"}