{ "threat_severity" : "Important", "public_date" : "2023-04-01T00:00:00Z", "bugzilla" : { "description" : "github.com/Masterminds/vcs: Command Injection via argument injection", "id" : "2215317", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2215317" }, "cvss3" : { "cvss3_base_score" : "9.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-88", "details" : [ "The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.", "A flaw was found in the VCS package, caused by improper validation of user-supplied input. By using a specially-crafted argument, a remote attacker could execute arbitrary commands on the system." ], "statement" : "In Red Hat OpenStack, the 'github.com/Masterminds/vcs' is a transitive dependency and is not used by operators directly which reduces the chances for successful exploitation. Hence, the impact for OpenStack is reduced to moderate.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2023-07-19T00:00:00Z", "advisory" : "RHSA-2023:4053", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-agent-installer-csr-approver-rhel8:v4.11.0-202307072028.p0.gaa46748.assembly.stream" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2023-08-22T00:00:00Z", "advisory" : "RHSA-2023:4694", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "rhosp-rhel8/osp-director-operator:1.3.0-8", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date" : "2023-08-16T00:00:00Z", "advisory" : "RHSA-2023:4582", "cpe" : "cpe:/a:redhat:openstack:17.1::el9", "package" : "rhosp-rhel9/osp-director-agent:1.3.1-10", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "helm", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "openshift-serverless-1/ingress-rhel8-operator", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "openshift-serverless-1/knative-rhel8-operator", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "openshift-serverless-1/serverless-rhel8-operator", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Not affected", "package_name" : "github-Masterminds-vcs", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "acm-multicluster-globalhub-agent-container", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "acm-multicluster-globalhub-manager-container", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "acm-multicluster-globalhub-operator-bundle-container", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "acm-multicluster-globalhub-operator-container", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/acm-cluster-proxy-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/acm-governance-policy-addon-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/acm-search-v2-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/acm-volsync-addon-controller-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multiclusterhub-repo-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multiclusterhub-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-channel-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-subscription-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Affected", "package_name" : "advanced-cluster-security/rhacs-main-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Affected", "package_name" : "advanced-cluster-security/rhacs-scanner-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Affected", "package_name" : "helm", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/kubernetes-nmstate-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/metallb-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/oc-mirror-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-alibaba-cloud-controller-manager-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-azure-cluster-api-controllers-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-cluster-version-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-gcp-filestore-csi-driver-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-gcp-pd-csi-driver-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-olm-rukpak-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-operator-registry", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-operator-sdk-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/special-resource-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/topology-aware-lifecycle-manager-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4-wincw/windows-machine-config-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform Assisted Installer 1", "fix_state" : "Affected", "package_name" : "rhai-tech-preview/assisted-installer-agent-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:1" }, { "product_name" : "Red Hat OpenShift Container Platform Assisted Installer 1", "fix_state" : "Affected", "package_name" : "rhai-tech-preview/assisted-installer-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:1" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Out of support scope", "package_name" : "ocs4/mcg-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Out of support scope", "package_name" : "ocs4/ocs-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/mcg-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/ocs-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/odf-csi-addons-sidecar-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/odf-lvm-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/odf-multicluster-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/odf-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/odr-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/gitops-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/kam-delivery-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-21235\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-21235\nhttps://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078" ], "name" : "CVE-2022-21235", "csaw" : false }