{
  "threat_severity" : "Moderate",
  "public_date" : "2021-07-03T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-addressable: ReDoS in templates",
    "id" : "1979702",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1979702"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.", "A resource-consumption vulnerability was found in rubygem addressable, where its URI template implementation could allow an attacker's crafted template to consume resources, resulting in a denial of service. The highest threat from this vulnerability is to system availability." ],
  "statement" : "Red Hat CloudForms 5.0 (CFME 5.11) is in the maintenance support phase and we are no longer fixing Moderate/Low severity security bugs. Reference: https://access.redhat.com/support/policy/updates/cloudforms\nOpenShift 3.11 components are currently in maintenance support phase, hence Moderate/Low severity security bugs are set as Out Of Support Scope (OOSS). Reference: https://access.redhat.com/support/policy/updates/openshift_noncurrent",
  "affected_release" : [ {
    "product_name" : "OpenShift Logging 5.2",
    "release_date" : "2021-09-07T00:00:00Z",
    "advisory" : "RHBA-2021:3393",
    "cpe" : "cpe:/a:redhat:logging:5.2::el8",
    "package" : "openshift-logging/fluentd-rhel8:v5.2.0-10"
  }, {
    "product_name" : "Red Hat Satellite 6.10 for RHEL 7",
    "release_date" : "2021-11-16T00:00:00Z",
    "advisory" : "RHSA-2021:4702",
    "cpe" : "cpe:/a:redhat:satellite:6.10::el7",
    "package" : "tfm-rubygem-addressable-0:2.8.0-1.el7sat"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Will not fix",
    "package_name" : "cfme-gemset",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/eventrouter-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp-system",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Affected",
    "package_name" : "3scale-toolbox",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Affected",
    "package_name" : "system",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Out of support scope",
    "package_name" : "logging-fluentd",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-logging-fluentd",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens) Operational Tools",
    "fix_state" : "Out of support scope",
    "package_name" : "rubygem-addressable",
    "cpe" : "cpe:/a:redhat:openstack-optools:13"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Will not fix",
    "package_name" : "rcue-addressable",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-32740\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-32740\nhttps://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g" ],
  "name" : "CVE-2021-32740",
  "mitigation" : {
    "value" : "Create template objects only from trusted sources that have been validated not to produce catastrophic backtracking.",
    "lang" : "en:us"
  },
  "csaw" : false
}