CVE-2025-21614 - Vulnerability Details

go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Go-git Project	Go-git
Redhat	Advanced Cluster Security Enterprise Linux Openshift Openshift Gitops Openstack Rhel Eus Trusted Profile Analyzer

Configuration 1 [-]

cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Security 4.4
advanced-cluster-security/rhacs-main-rhel8:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-main-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.6-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
Red Hat Advanced Cluster Security 4.6
advanced-cluster-security/rhacs-central-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
Red Hat Enterprise Linux 8
grafana-0:9.2.10-21.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:0401	2025-01-20T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
grafana-0:9.2.10-21.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:0662	2025-01-23T00:00:00Z
Red Hat OpenShift Container Platform 4.16
openshift4/ose-helm-rhel9-operator:v4.16.0-202502130836.p0.g26e182e.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:1704	2025-02-27T00:00:00Z
openshift4/ose-operator-sdk-rhel9:v4.16.0-202502190034.p0.g26e182e.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:1704	2025-02-27T00:00:00Z
Red Hat OpenShift Container Platform 4.17
openshift4/oc-mirror-plugin-rhel9:v4.17.0-202501221434.p0.g39bedc7.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:0654	2025-01-28T00:00:00Z
openshift4/ose-helm-rhel9-operator:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:1119	2025-02-11T00:00:00Z
openshift4/ose-operator-sdk-rhel9:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:1119	2025-02-11T00:00:00Z
Red Hat OpenShift Container Platform 4.18
openshift4/oc-mirror-plugin-rhel9:v4.18.0-202502100934.p0.gc00c7c9.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
openshift4/ose-olm-catalogd-rhel9:v4.18.0-202502052031.p0.gf95a88f.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
openshift4/ose-olm-operator-controller-rhel9:v4.18.0-202502051931.p0.g74a2477.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
Red Hat OpenShift GitOps 1.14
openshift-gitops-argocd-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-argocd-rhel9-container-v1.14.3-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-argo-rollouts-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-console-plugin-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-dex-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-kam-delivery-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-must-gather-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-operator-bundle-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-operator-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
Red Hat OpenShift GitOps 1.15
openshift-gitops-1/argocd-extensions-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argocd-rhel9:v1.15.1-1	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
Red Hat OpenStack Platform 16.2
rhosp-rhel8/osp-director-agent:1.3.0-17	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-downloader:1.3.0-17	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-operator:1.3.0-15	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-operator-bundle:1.3.0-33	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
Red Hat OpenStack Platform 17.1 for RHEL 9
rhosp-rhel9/osp-director-agent:1.3.1-20	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-downloader:1.3.1-18	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-operator:1.3.1-20	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-operator-bundle:1.3.1-41	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
Red Hat Trusted Profile Analyzer 1.2
registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:2dc71ee6e8c55a29b6dd68006c7d0365154d35c850021d8b4b77e24b4e8fd1a6	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2025:0444	2025-01-20T00:00:00Z
registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:eb2e0b1003ef77c39b28fe9fbe2ca8141aa72160bdcd7d55eddac2c16629d7c4	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2025:0445	2025-01-20T00:00:00Z

References

Link	Providers
https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4
https://nvd.nist.gov/vuln/detail/CVE-2025-21614
https://www.cve.org/CVERecord?id=CVE-2025-21614

History

Thu, 17 Apr 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Go-git Project Go-git Project go-git
CPEs		cpe:2.3:a:go-git_project:go-git::::::go::*
Vendors & Products		Go-git Project Go-git Project go-git

Thu, 20 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_gitops:1.14::el8

Thu, 27 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.16::el9

Thu, 27 Feb 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Gitops Redhat openstack
CPEs		cpe:/a:redhat:openshift_gitops:1.15::el8 cpe:/a:redhat:openstack:16.2::el8 cpe:/a:redhat:openstack:17.1::el9
Vendors & Products		Redhat openshift Gitops Redhat openstack

Tue, 25 Feb 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.18::el9

Fri, 14 Feb 2025 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:advanced_cluster_security:4.4::el8

Thu, 13 Feb 2025 01:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat advanced Cluster Security Redhat enterprise Linux Redhat openshift Redhat rhel Eus Redhat trusted Profile Analyzer
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8 cpe:/a:redhat:advanced_cluster_security:4.6::el8 cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:openshift:4.17::el9 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:trusted_profile_analyzer:1.2::el9
Vendors & Products		Redhat Redhat advanced Cluster Security Redhat enterprise Linux Redhat openshift Redhat rhel Eus Redhat trusted Profile Analyzer

Thu, 09 Jan 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-21614 https://www.cve.org/CVERecord?id=CVE-2025-21614
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 06 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Jan 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Title		go-git clients vulnerable to DoS via maliciously crafted Git server replies
Weaknesses		CWE-400
References		https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-01-06T16:20:16.140Z

Updated: 2025-01-06T16:36:35.796Z

Reserved: 2024-12-29T03:00:24.713Z

Link: CVE-2025-21614

Vulnrichment

Updated: 2025-01-06T16:36:27.947Z

NVD

Status : Analyzed

Published: 2025-01-06T17:15:47.310

Modified: 2025-04-17T02:33:33.057

Link: CVE-2025-21614

Redhat

Severity : Important

Publid Date: 2025-01-06T16:20:16Z

Links: CVE-2025-21614 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21614", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-29T03:00:24.713Z", "datePublished": "2025-01-06T16:20:16.140Z", "dateUpdated": "2025-01-06T16:36:35.796Z"}, "containers": {"cna": {"title": "go-git clients vulnerable to DoS via maliciously crafted Git server replies", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4"}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"version": ">= 4.0.0, < 5.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T16:20:16.140Z"}, "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability."}], "source": {"advisory": "GHSA-r9px-m959-cxf4", "discovery": "UNKNOWN"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T16:34:38.131709Z", "id": "CVE-2025-21614", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:36:35.796Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21614", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-06T16:34:38.131709Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:36:27.947Z"}}], "cna": {"title": "go-git clients vulnerable to DoS via maliciously crafted Git server replies", "source": {"advisory": "GHSA-r9px-m959-cxf4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"status": "affected", "version": ">= 4.0.0, < 5.13.0"}]}], "references": [{"url": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4", "name": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T16:20:16.140Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21614", "state": "PUBLISHED", "dateUpdated": "2025-01-06T16:36:35.796Z", "dateReserved": "2024-12-29T03:00:24.713Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-06T16:20:16.140Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*", "matchCriteriaId": "77FFEE6C-CE0C-435F-9466-13BC2B95D09E", "versionEndExcluding": "5.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability."}, {"lang": "es", "value": "Go-git es una librer\u00eda de implementaci\u00f3n de Git altamente extensible escrita en Go puro. Se descubri\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en versiones de Go-git anteriores a la v5.13. Esta vulnerabilidad permite a un atacante realizar ataques de denegaci\u00f3n de servicio al proporcionar respuestas especialmente manipuladas desde un servidor Git que desencadenan el agotamiento de recursos en los clientes de Go-git. Se recomienda a los usuarios que ejecutan versiones de Go-git de la v4 y posteriores que actualicen a la v5.13 para mitigar esta vulnerabilidad."}], "id": "CVE-2025-21614", "lastModified": "2025-04-17T02:33:33.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-06T17:15:47.310", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.6-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0401", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "grafana-0:9.2.10-21.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-01-20T00:00:00Z"}, {"advisory": "RHSA-2025:0662", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "grafana-0:9.2.10-21.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-01-23T00:00:00Z"}, {"advisory": "RHSA-2025:1704", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-helm-rhel9-operator:v4.16.0-202502130836.p0.g26e182e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1704", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-operator-sdk-rhel9:v4.16.0-202502190034.p0.g26e182e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:0654", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/oc-mirror-plugin-rhel9:v4.17.0-202501221434.p0.g39bedc7.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:1119", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-helm-rhel9-operator:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1119", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-operator-sdk-rhel9:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/oc-mirror-plugin-rhel9:v4.18.0-202502100934.p0.gc00c7c9.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-olm-catalogd-rhel9:v4.18.0-202502052031.p0.gf95a88f.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-olm-operator-controller-rhel9:v4.18.0-202502051931.p0.g74a2477.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-rhel9-container-v1.14.3-1", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argo-rollouts-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-console-plugin-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-dex-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-kam-delivery-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-must-gather-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-bundle-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-extensions-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel9:v1.15.1-1", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/dex-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-agent:1.3.0-17", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-downloader:1.3.0-17", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-operator:1.3.0-15", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-operator-bundle:1.3.0-33", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-agent:1.3.1-20", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-downloader:1.3.1-18", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-operator:1.3.1-20", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-operator-bundle:1.3.1-41", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:0444", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:2dc71ee6e8c55a29b6dd68006c7d0365154d35c850021d8b4b77e24b4e8fd1a6", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2025-01-20T00:00:00Z"}, {"advisory": "RHSA-2025:0445", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:eb2e0b1003ef77c39b28fe9fbe2ca8141aa72160bdcd7d55eddac2c16629d7c4", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2025-01-20T00:00:00Z"}], "bugzilla": {"description": "go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies", "id": "2335901", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335901"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "(CWE-400|CWE-770)", "details": ["go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.", "A denial of service (DoS) vulnerability was found in go-git. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which triggers resource exhaustion in go-git clients."], "name": "CVE-2025-21614", "package_state": [{"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Will not fix", "package_name": "oadp/oadp-mustgather-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "odo", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1-func-utils-rhel8-container", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-cli-artifacts-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/multicluster-operators-subscription-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-data-science-pipelines-argo-argoexec-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-data-science-pipelines-argo-workflowcontroller-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-data-science-pipelines-argo-argoexec-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-deployer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-olm-rukpak-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-framework-tools-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-registry-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "redhat/redhat-operator-index", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/devspaces-rhel8-operator", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/cluster-network-addons-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/cluster-network-addons-operator-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "osp-director-provisioner-container", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2025-01-06T16:20:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21614\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21614\nhttps://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4"], "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object