{
  "threat_severity" : "Moderate",
  "public_date" : "2023-02-16T00:00:00Z",
  "bugzilla" : {
    "description" : "go-getter: go-getter vulnerable to denial of service via malicious compressed archive",
    "id" : "2170844",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2170844"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-409",
  "details" : [ "HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.", "A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5006",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "openshift4/ose-installer:v4.14.0-202310201027.p0.g03546e5.assembly.stream"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/topology-aware-lifecycle-manager-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-security-profiles-operator-container",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Will not fix",
    "package_name" : "odf4/odf-multicluster-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odr-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat OpenShift Data Science (RHODS)",
    "fix_state" : "Will not fix",
    "package_name" : "rhods/odh-operator-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_data_science"
  }, {
    "product_name" : "Red Hat OpenShift Data Science (RHODS)",
    "fix_state" : "Will not fix",
    "package_name" : "rhods/odh-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_science"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-0475\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0475\nhttps://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125" ],
  "name" : "CVE-2023-0475",
  "csaw" : false
}