{ "threat_severity" : "Moderate", "public_date" : "2021-09-13T00:00:00Z", "bugzilla" : { "description" : "serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196", "id" : "1992955", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1992955" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1.16.0 and Serverless client kn 1.16.0. These have been fixed with Serverless 1.17.0.", "CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed for Serverless 1.16.0 and Serverless client kn 1.16.0." ], "statement" : "The flaw is moderate as the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 are moderate. The score is assigned as per the highest score given in CVE-2021-27918 and CVE-2021-33196.", "affected_release" : [ { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/client-kn-rhel8:0.23.2-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-controller-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-mtping-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-sugar-controller-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/eventing-webhook-rhel8:0.23.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/ingress-rhel8-operator:1.17.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/knative-rhel8-operator:1.17.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/kn-cli-artifacts-rhel8:0.23.2-1" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/kourier-control-rhel8:0.23.0-4" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/net-istio-controller-rhel8:0.23.0-4" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/net-istio-webhook-rhel8:0.23.0-4" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serverless-operator-bundle:1.17.0-11" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serverless-rhel8-operator:1.17.0-5" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-activator-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-autoscaler-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-controller-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-domain-mapping-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-queue-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-storage-version-migration-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/serving-webhook-rhel8:0.23.1-2" }, { "product_name" : "Openshift Serverless 1.17", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3556", "cpe" : "cpe:/a:redhat:serverless:1.17::el8", "package" : "openshift-serverless-1/svls-must-gather-rhel8:1.17.0-5" }, { "product_name" : "Openshift Serverless 1 on RHEL 8", "release_date" : "2021-09-16T00:00:00Z", "advisory" : "RHSA-2021:3555", "cpe" : "cpe:/a:redhat:serverless:1.0::el8", "package" : "openshift-serverless-clients-0:0.23.2-1.el8" } ], "package_state" : [ { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "knative-eventing", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "knative-serving", "cpe" : "cpe:/a:redhat:serverless:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3703\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3703" ], "name" : "CVE-2021-3703", "csaw" : false }