{ "threat_severity" : "Moderate", "public_date" : "2022-04-27T00:00:00Z", "bugzilla" : { "description" : "go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses", "id" : "2080279", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2080279" }, "cvss3" : { "cvss3_base_score" : "5.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-532", "details" : [ "The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.", "A flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2022-08-10T00:00:00Z", "advisory" : "RHSA-2022:5069", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-baremetal-machine-controllers:v4.11.0-202208020235.p0.ga65be86.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2022-08-10T00:00:00Z", "advisory" : "RHSA-2022:5069", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-baremetal-rhel8-operator:v4.11.0-202208020235.p0.g22b522c.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2022-08-10T00:00:00Z", "advisory" : "RHSA-2022:5069", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-cluster-baremetal-operator-rhel8:v4.11.0-202208020235.p0.g0f415d1.assembly.stream" }, { "product_name" : "Red Hat OpenShift Data Foundation 4.11 on RHEL8", "release_date" : "2022-08-24T00:00:00Z", "advisory" : "RHSA-2022:6156", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.11::el8", "package" : "odf4/odr-rhel8-operator:v4.11.0-27" } ], "package_state" : [ { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/agent-service-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/cluster-curator-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/clusterlifecycle-state-metrics-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/managedcluster-import-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicloud-manager-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multiclusterhub-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-application-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/search-aggregator-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/subctl-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/submariner-rhel8-operator", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-baremetal-installer-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-installer", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-installer-artifacts-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/gitops-operator-bundle", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Will not fix", "package_name" : "osp-director-provisioner-container", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Will not fix", "package_name" : "rhosp-rhel8/osp-director-downloader", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Will not fix", "package_name" : "rhosp-rhel8-tech-preview/osp-director-operator", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Affected", "package_name" : "quay/quay-operator-rhel8", "cpe" : "cpe:/a:redhat:quay:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-29810\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-29810\nhttps://github.com/golang/vulndb/issues/438" ], "name" : "CVE-2022-29810", "csaw" : false }