{ "threat_severity" : "Important", "public_date" : "2022-05-24T00:00:00Z", "bugzilla" : { "description" : "go-getter: unsafe download (issue 2 of 3)", "id" : "2092923", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2092923" }, "cvss3" : { "cvss3_base_score" : "8.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-229", "details" : [ "go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.", "A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.10", "release_date" : "2022-08-31T00:00:00Z", "advisory" : "RHSA-2022:6133", "cpe" : "cpe:/a:redhat:openshift:4.10::el8", "package" : "openshift4/ose-baremetal-rhel8-operator:v4.10.0-202208182025.p0.g97ce15e.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.10", "release_date" : "2022-09-08T00:00:00Z", "advisory" : "RHSA-2022:6258", "cpe" : "cpe:/a:redhat:openshift:4.10::el8", "package" : "openshift4/ose-cluster-baremetal-operator-rhel8:v4.10.0-202208260945.p0.g23614bb.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.10", "release_date" : "2022-10-12T00:00:00Z", "advisory" : "RHSA-2022:6805", "cpe" : "cpe:/a:redhat:openshift:4.10::el8", "package" : "openshift4/ose-baremetal-machine-controllers:v4.10.0-202209301647.p0.gadff401.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.10", "release_date" : "2022-11-02T00:00:00Z", "advisory" : "RHSA-2022:7211", "cpe" : "cpe:/a:redhat:openshift:4.10::el8", "package" : "openshift4/ose-installer:v4.10.0-202210250219.p0.g1ffe666.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2022-08-10T00:00:00Z", "advisory" : "RHSA-2022:5069", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-baremetal-machine-controllers:v4.11.0-202208020235.p0.ga65be86.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2022-08-10T00:00:00Z", "advisory" : "RHSA-2022:5069", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-baremetal-rhel8-operator:v4.11.0-202208020235.p0.g22b522c.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2022-08-10T00:00:00Z", "advisory" : "RHSA-2022:5069", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-cluster-baremetal-operator-rhel8:v4.11.0-202208020235.p0.g0f415d1.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.11", "release_date" : "2022-11-02T00:00:00Z", "advisory" : "RHSA-2022:7201", "cpe" : "cpe:/a:redhat:openshift:4.11::el8", "package" : "openshift4/ose-installer:v4.11.0-202210250857.p0.g9d1e216.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2022-09-14T00:00:00Z", "advisory" : "RHSA-2022:6308", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-baremetal-rhel8-operator:v4.8.0-202208241844.p0.g5492cf5.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2022-10-13T00:00:00Z", "advisory" : "RHSA-2022:6801", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-cluster-baremetal-operator-rhel8:v4.8.0-202209291426.p0.g117d47a.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2022-11-18T00:00:00Z", "advisory" : "RHSA-2022:7874", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-baremetal-machine-controllers:v4.8.0-202211031007.p0.g2dabef7.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2022-08-31T00:00:00Z", "advisory" : "RHSA-2022:6147", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "openshift4/ose-baremetal-rhel8-operator:v4.9.0-202208231335.p0.g4e7605b.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2022-10-19T00:00:00Z", "advisory" : "RHSA-2022:6905", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "openshift4/ose-cluster-baremetal-operator-rhel8:v4.9.0-202210061647.p0.g1a49892.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2022-11-03T00:00:00Z", "advisory" : "RHSA-2022:7216", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "openshift4/ose-baremetal-machine-controllers:v4.9.0-202210241459.p0.g41aa1f7.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2023-01-06T00:00:00Z", "advisory" : "RHSA-2022:9111", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "openshift4/ose-installer:v4.9.0-202212060115.p0.gf079984.assembly.stream" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2022-07-20T00:00:00Z", "advisory" : "RHSA-2022:5673", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "rhosp-rhel8-tech-preview/osp-director-downloader:1.2.3-3" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2022-07-20T00:00:00Z", "advisory" : "RHSA-2022:5673", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "rhosp-rhel8-tech-preview/osp-director-operator:1.2.3-3" } ], "package_state" : [ { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/agent-service-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/cluster-curator-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/clusterlifecycle-state-metrics-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/managedcluster-import-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicloud-manager-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multiclusterhub-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-application-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/search-aggregator-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/subctl-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/submariner-rhel8-operator", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-baremetal-installer-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-installer-artifacts-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Will not fix", "package_name" : "odf4/odr-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Not affected", "package_name" : "openshift-gitops-1/gitops-operator-bundle", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Affected", "package_name" : "osp-director-provisioner-container", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Affected", "package_name" : "rhosp-rhel8/osp-director-operator", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Affected", "package_name" : "quay/quay-operator-rhel8", "cpe" : "cpe:/a:redhat:quay:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-30322\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-30322\nhttps://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930" ], "name" : "CVE-2022-30322", "mitigation" : { "value" : "The fix includes new configuration options to help limit the security exposure and have more secure defaults.", "lang" : "en:us" }, "csaw" : false }