{ "threat_severity" : "Moderate", "public_date" : "2022-01-21T00:00:00Z", "bugzilla" : { "description" : "nanoid: Information disclosure via valueOf() function", "id" : "2050853", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2050853" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-212", "details" : [ "The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.", "A flaw was found in the nanoid library where the valueOf() function allows the reproduction of the last id generated. This flaw allows an attacker to expose sensitive information." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2022-08-10T00:00:00Z", "advisory" : "RHSA-2022:5069", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-thanos-rhel8:v4.11.0-202208020235.p0.gf08da2d.assembly.stream" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.11 on RHEL8", "release_date" : "2022-08-24T00:00:00Z", "advisory" : "RHSA-2022:6156", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.11::el8", "package" : "odf4/mcg-core-rhel8:v4.11.0-30" } ], "package_state" : [ { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Fix deferred", "package_name" : "migration-toolkit-virtualization/mtv-ui-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "odo", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/console-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/grc-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/kui-web-terminal-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/search-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "automation-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.infinispan-infinispan-console", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "io.smallrye-smallrye-open-api-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "io.smallrye-smallrye-open-api-parent", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-prometheus-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-23566\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23566\nhttps://github.com/advisories/GHSA-qrpm-p2h7-hrv2" ], "name" : "CVE-2021-23566", "csaw" : false }