{ "threat_severity" : "Moderate", "public_date" : "2023-11-09T00:00:00Z", "bugzilla" : { "description" : "axios: exposure of confidential data stored in cookies", "id" : "2248979", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2248979" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-200", "details" : [ "An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.", "A flaw was found in Axios that may expose a confidential session token. This issue can allow a remote attacker to bypass security measures and view sensitive data." ], "statement" : "For Red Hat Advanced Cluster Management for Kubernetes (RHACM), the affected container was deprecated in ACM 2.5 version which is not anymore supported. Following versions of this product are not impacted by this issue.", "affected_release" : [ { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-06-13T00:00:00Z", "advisory" : "RHSA-2024:3920", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "axios" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-06-20T00:00:00Z", "advisory" : "RHSA-2024:3989", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.3-2" }, { "product_name" : "MTA-7.0-RHEL-9", "release_date" : "2024-05-23T00:00:00Z", "advisory" : "RHSA-2024:3316", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package" : "mta/mta-cli-rhel9:7.0.3-16" }, { "product_name" : "MTA-7.0-RHEL-9", "release_date" : "2024-05-23T00:00:00Z", "advisory" : "RHSA-2024:3316", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package" : "mta/mta-ui-rhel9:7.0.3-13" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-central-db-rhel8:4.7.0-4" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-collector-rhel8:4.7.0-3" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-main-rhel8:4.7.0-4" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-operator-bundle:4.7.0-3" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-rhel8-operator:4.7.0-4" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-roxctl-rhel8:4.7.0-4" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-rhel8:4.7.0-4" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.7.0-3" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-scanner-rhel8:4.7.0-4" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.7.0-4" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.7.0-4" }, { "product_name" : "Red Hat Advanced Cluster Security 4.7", "release_date" : "2025-03-17T00:00:00Z", "advisory" : "RHSA-2025:2876", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package" : "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.0-4" }, { "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date" : "2024-04-02T00:00:00Z", "advisory" : "RHSA-2024:1640", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package" : "automation-controller-0:4.5.5-2.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date" : "2024-04-02T00:00:00Z", "advisory" : "RHSA-2024:1640", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package" : "automation-controller-0:4.5.5-2.el9ap" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1925", "cpe" : "cpe:/a:redhat:rhmt:1.8::el8", "package" : "rhmtc/openshift-migration-ui-rhel8:v1.8.3-4" }, { "product_name" : "RHEL-8-CNV-4.12", "release_date" : "2024-07-02T00:00:00Z", "advisory" : "RHSA-2024:4269", "cpe" : "cpe:/a:redhat:container_native_virtualization:4.12::el8", "package" : "container-native-virtualization/kubevirt-console-plugin:v4.12.12-7" }, { "product_name" : "RHEL-9-CNV-4.13", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5314", "cpe" : "cpe:/a:redhat:container_native_virtualization:4.13::el9", "package" : "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.13.10-387" }, { "product_name" : "RHEL-9-CNV-4.14", "release_date" : "2024-05-29T00:00:00Z", "advisory" : "RHSA-2024:3473", "cpe" : "cpe:/a:redhat:container_native_virtualization:4.14::el9", "package" : "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.14.6-195" }, { "product_name" : "RHEL-9-CNV-4.15", "release_date" : "2024-05-23T00:00:00Z", "advisory" : "RHSA-2024:3314", "cpe" : "cpe:/a:redhat:container_native_virtualization:4.15::el9", "package" : "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.15.2-383" }, { "product_name" : "RHEL-9-CNV-4.16", "release_date" : "2024-07-10T00:00:00Z", "advisory" : "RHSA-2024:4455", "cpe" : "cpe:/a:redhat:container_native_virtualization:4.16::el9", "package" : "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.16.0-4001" } ], "package_state" : [ { "product_name" : "Cryostat 2", "fix_state" : "Fix deferred", "package_name" : "axios", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Not affected", "package_name" : "mta/mta-ui-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Not affected", "package_name" : "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Not affected", "package_name" : "multicluster-engine/console-mce-rhel8", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Not affected", "package_name" : "multicluster-engine/multicluster-engine-console-mce-rhel8", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Network Observability Operator", "fix_state" : "Not affected", "package_name" : "network-observability/network-observability-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "axios", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/kiali-rhel8", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Will not fix", "package_name" : "3scale-amp-system-container", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/console-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Out of support scope", "package_name" : "rhacm2/grc-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Out of support scope", "package_name" : "advanced-cluster-security/rhacs-main-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Not affected", "package_name" : "ansible-tower", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-eda-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-hub", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-services-catalog", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python3x-galaxy-ng", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python-galaxy-ng", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Will not fix", "package_name" : "axios", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Not affected", "package_name" : "rhdh/rhdh-hub-rhel9", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Discovery 1", "fix_state" : "Not affected", "package_name" : "discovery-server-container", "cpe" : "cpe:/a:redhat:discovery:1" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "axios", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Data Science (RHODS)", "fix_state" : "Fix deferred", "package_name" : "rhods/odh-dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_science" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Will not fix", "package_name" : "devspaces/code-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/traefik-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-agent-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "axios", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Affected", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-45857\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-45857" ], "name" : "CVE-2023-45857", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }