{ "threat_severity" : "Moderate", "public_date" : "2020-08-01T00:00:00Z", "bugzilla" : { "description" : "golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS", "id" : "1874857", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1874857" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.", "A flaw was found in the Go standard library packages before upstream versions 1.15 and 1.14.8. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of \"text/html\", rather than \"text/plain\". This flaw allows an attacker to exploit this issue in applications using these packages by uploading crafted files, allowing a Cross-site Scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity." ], "statement" : "Multiple components in the Red Hat OpenShift Container Platform are built with Go and use net/http, however, none include the specific vulnerable packages net/http/cgi and net/http/fcgi. Red Hat OpenShift Container Platform is not affected by this flaw.", "affected_release" : [ { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/client-kn-rhel8:0.18.4-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-controller-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-mtping-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-sugar-controller-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/eventing-webhook-rhel8:0.18.6-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/ingress-rhel8-operator:1.12.0-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/knative-rhel8-operator:1.12.0-3" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/kn-cli-artifacts-rhel8:0.18.4-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/kourier-control-rhel8:0.18.0-2" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serverless-operator-bundle:1.12.0-5" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serverless-rhel8-operator:1.12.0-4" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serving-activator-rhel8:0.18.2-3" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.18.2-3" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serving-autoscaler-rhel8:0.18.2-3" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serving-controller-rhel8:0.18.2-3" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serving-queue-rhel8:0.18.2-3" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serving-storage-version-migration-rhel8:0.18.2-3" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/serving-webhook-rhel8:0.18.2-3" }, { "product_name" : "Openshift Serveless 1.12", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0146", "cpe" : "cpe:/a:redhat:serverless:1.12::el8", "package" : "openshift-serverless-1/svls-must-gather-rhel8:1.12.0-2" }, { "product_name" : "Openshift Serverless 1 on RHEL 8", "release_date" : "2021-01-14T00:00:00Z", "advisory" : "RHSA-2021:0145", "cpe" : "cpe:/a:redhat:serverless:1.0::el8", "package" : "openshift-serverless-clients-0:0.18.4-2.el8" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-12-15T00:00:00Z", "advisory" : "RHSA-2020:5493", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "go-toolset:rhel8-8030020201118084734.58e1918e" } ], "package_state" : [ { "product_name" : "Distributed Tracing Jaeger 1", "fix_state" : "Not affected", "package_name" : "distributed-tracing/jaeger-all-in-one-rhel7", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "CLI", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Not affected", "package_name" : "ior", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Not affected", "package_name" : "kiali", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/3scale-istio-adapter-rhel8", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Not affected", "package_name" : "servicemesh", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Not affected", "package_name" : "servicemesh-cni", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Not affected", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Not affected", "package_name" : "servicemesh-operator", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Not affected", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "golang", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Fix deferred", "package_name" : "golang", "cpe" : "cpe:/a:redhat:ceph_storage:3", "impact" : "low" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Not affected", "package_name" : "golang-github-prometheus-node_exporter", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Not affected", "package_name" : "rhceph/rhceph-4-dashboard-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:4" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "gcc", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "golang", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "ansible-service-broker", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "apb", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-enterprise-service-catalog", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift-cluster-autoscaler", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift-descheduler", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift-dockerregistry", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift-metrics-server", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift-node-problem-detector", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift-service-idler", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift-web-console", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "cockpit", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "containernetworking-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "cri-o", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "cri-tools", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "csi-attacher", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "csi-driver-registrar", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "csi-livenessprobe", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "csi-provisioner", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "golang-github-openshift-oauth-proxy", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "golang-github-openshift-prometheus-alert-buffer", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "golang-github-prometheus-alertmanager", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "golang-github-prometheus-node_exporter", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "golang-github-prometheus-prometheus", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "golang-github-prometheus-promu", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "hawkular-openshift-agent", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "heapster", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "image-inspector", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "openshift-enterprise-autoheal", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "openshift-enterprise-cluster-capacity", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "openshift-enterprise-image-registry", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "openshift-eventrouter", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "openshift-external-storage", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "openshift-monitor-project-lifecycle", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "openvswitch-ovn-kubernetes", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "podman", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "apb", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "atomic-enterprise-service-catalog", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "atomic-openshift-service-idler", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "buildah", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "containernetworking-plugins", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "cri-o", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "cri-tools", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "faq", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "golang-github-prometheus-promu", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "ignition", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "kubefed-client", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "machine-config-daemon", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift-clients", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift-eventrouter", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "pivot", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "podman", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "runc", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "skopeo", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Not affected", "package_name" : "mcg", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Not affected", "package_name" : "ocs4/cephcsi-rhel8", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Not affected", "package_name" : "ocs4/mcg-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Not affected", "package_name" : "ocs4/ocs-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Not affected", "package_name" : "ocs4/rook-ceph-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "ember-csi", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "ember-csi-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "kubevirt-cdi", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "kubevirt-cpu-model-nfd-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "kubevirt-cpu-node-labeller", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "kubevirt-metrics-collector", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "kubevirt-virtctl", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "kubevirt-web-ui", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "kubevirt-web-ui-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "multus-cni", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "ovs-cni-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "sriov-cni", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "sriov-network-device-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-api", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-cdi-apiserver", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-cdi-cloner", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-cdi-controller", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-cdi-importer", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-cdi-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-cdi-uploadproxy", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-cdi-uploadserver", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-controller", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-handler", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-launcher", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 1", "fix_state" : "Not affected", "package_name" : "virt-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:1" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "bridge-marker", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "cluster-network-addons-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "cnv-containernetworking-plugins", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "cnv-must-gather", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "hostpath-provisioner", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "hostpath-provisioner-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "hyperconverged-cluster-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubemacpool", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubernetes-nmstate-handler", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubevirt-cpu-model-nfd-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubevirt-cpu-node-labeller", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubevirt-kvm-info-nfd-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubevirt-metrics-collector", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubevirt-template-validator", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubevirt-virtctl", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "kubevirt-vmware", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "node-maintenance-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "ovs-cni-marker", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "ovs-cni-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-api", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-cdi-apiserver", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-cdi-cloner", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-cdi-controller", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-cdi-importer", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-cdi-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-cdi-uploadproxy", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-cdi-uploadserver", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-controller", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-handler", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-launcher", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "virt-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "vm-import-controller", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat OpenShift Virtualization 2", "fix_state" : "Not affected", "package_name" : "vm-import-operator", "cpe" : "cpe:/a:redhat:container_native_virtualization:2" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "etcd", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Fix deferred", "package_name" : "golang", "cpe" : "cpe:/a:redhat:storage:3", "impact" : "low" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "heketi", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "multi-cloud-object-gateway-cli", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "noobaa-operator-container", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "rhgs3/rhgs-gluster-block-prov-rhel7", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-24553\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-24553\nhttps://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs\nhttps://www.redteam-pentesting.de/en/advisories/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-lead-to-cross-site-scripting" ], "name" : "CVE-2020-24553", "csaw" : false }