{ "threat_severity" : "Important", "public_date" : "2024-03-25T00:00:00Z", "bugzilla" : { "description" : "express: cause malformed URLs to be evaluated", "id" : "2290901", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2290901" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-601", "details" : [ "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", "A flaw was found in the Express.js minimalist web framework for node. Upstream versions of Express.js before 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL, Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This issue can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()`, but this is also called from within `res.redirect()`. The vulnerability is fixed in upstream version 4.19.2 and 5.0.0-beta.3." ], "statement" : "Red Hat Fuse 7 only uses express as part of build time development dependency, it is not part of the final product delivery.\nUpstream versions should not be relied upon for ultimate determination of affectedness. Red Hat might backport fixes from upstream versions on a case by case basis.", "affected_release" : [ { "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date" : "2024-06-17T00:00:00Z", "advisory" : "RHSA-2024:3868", "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package" : "network-observability/network-observability-cli-rhel9:v1.6.0-66" }, { "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date" : "2024-06-17T00:00:00Z", "advisory" : "RHSA-2024:3868", "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package" : "network-observability/network-observability-console-plugin-rhel9:v1.6.0-66" }, { "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date" : "2024-06-17T00:00:00Z", "advisory" : "RHSA-2024:3868", "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package" : "network-observability/network-observability-ebpf-agent-rhel9:v1.6.0-66" }, { "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date" : "2024-06-17T00:00:00Z", "advisory" : "RHSA-2024:3868", "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package" : "network-observability/network-observability-flowlogs-pipeline-rhel9:v1.6.0-66" }, { "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date" : "2024-06-17T00:00:00Z", "advisory" : "RHSA-2024:3868", "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package" : "network-observability/network-observability-operator-bundle:1.6.0-78" }, { "product_name" : "NETWORK-OBSERVABILITY-1.6.0-RHEL-9", "release_date" : "2024-06-17T00:00:00Z", "advisory" : "RHSA-2024:3868", "cpe" : "cpe:/a:redhat:network_observ_optr:1.6.0::el9", "package" : "network-observability/network-observability-rhel9-operator:v1.6.0-66" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-chains-controller-rhel8:v1.16.0-6" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-cli-tkn-rhel8:v1.16.0-7" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-console-plugin-rhel8:v1.16.0-52" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-controller-rhel8:v1.16.0-7" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-entrypoint-rhel8:v1.16.0-7" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-events-rhel8:v1.16.0-7" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-git-init-rhel8:v1.16.0-5" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-hub-api-rhel8:v1.16.0-3" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-hub-db-migration-rhel8:v1.16.0-3" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-hub-ui-rhel8:v1.16.0-3" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-manual-approval-gate-rhel8:v1.16.0-2" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-nop-rhel8:v1.16.0-7" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-operator-bundle:v1.16.0-42" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-operator-proxy-rhel8:v1.16.0-28" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-operator-webhook-rhel8:v1.16.0-28" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-pipelines-as-code-rhel8:v1.16.0-3" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-resolvers-rhel8:v1.16.0-7" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-results-api-rhel8:v1.16.0-6" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-results-retention-policy-agent-rhel8:v1.16.0-4" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-results-watcher-rhel8:v1.16.0-6" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-rhel8-operator:v1.16.0-28" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-serve-tkn-cli-rhel8:v1.16.0-5" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-triggers-controller-rhel8:v1.16.0-4" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-triggers-core-interceptors-rhel8:v1.16.0-5" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-triggers-eventlistenersink-rhel8:v1.16.0-5" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-triggers-webhook-rhel8:v1.16.0-5" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-webhook-rhel8:v1.16.0-7" }, { "product_name" : "OpenShift-Pipelines-1.16-RHEL-8", "release_date" : "2024-10-09T00:00:00Z", "advisory" : "RHEA-2024:7870", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.16::el8", "package" : "openshift-pipelines/pipelines-workingdirinit-rhel8:v1.16.0-7" }, { "product_name" : "Red Hat build of Apicurio Registry 2.6.1 GA", "release_date" : "2024-07-25T00:00:00Z", "advisory" : "RHSA-2024:4873", "cpe" : "cpe:/a:redhat:apicurio_registry:2.6", "package" : "express" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.8", "release_date" : "2024-09-26T00:00:00Z", "advisory" : "RHSA-2024:7164", "cpe" : "cpe:/a:redhat:rhmt:1.8::el8", "package" : "rhmtc/openshift-migration-ui-rhel8:v1.8.4-10" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/grafana-rhel8:2.6.1-6" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/istio-cni-rhel8:2.6.1-7" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/istio-must-gather-rhel8:2.6.1-4" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/istio-rhel8-operator:2.6.1-9" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/kiali-ossmc-rhel8:1.89.0-2" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/kiali-rhel8:1.89.1-3" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/kiali-rhel8-operator:1.89.1-1" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/pilot-rhel8:2.6.1-7" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/ratelimit-rhel8:2.6.1-6" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 9", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6211", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el9", "package" : "openshift-service-mesh/proxyv2-rhel9:2.6.1-4" }, { "product_name" : "RHODF-4.14-RHEL-9", "release_date" : "2024-10-03T00:00:00Z", "advisory" : "RHSA-2024:7624", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9", "package" : "odf4/mcg-core-rhel9:v4.14.11-1" }, { "product_name" : "RHODF-4.14-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8551", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9", "package" : "odf4/ocs-client-console-rhel9:v4.14.18-2" }, { "product_name" : "RHODF-4.14-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8551", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9", "package" : "odf4/odf-console-rhel9:v4.14.18-3" }, { "product_name" : "RHODF-4.14-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8551", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9", "package" : "odf4/odf-multicluster-console-rhel9:v4.14.18-2" }, { "product_name" : "RHODF-4.15-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8544", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package" : "odf4/ocs-client-console-rhel9:v4.15.14-2" }, { "product_name" : "RHODF-4.15-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8544", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package" : "odf4/odf-console-rhel9:v4.15.14-2" }, { "product_name" : "RHODF-4.15-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8544", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package" : "odf4/odf-multicluster-console-rhel9:v4.15.14-2" }, { "product_name" : "RHODF-4.16-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8479", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package" : "odf4/ocs-client-console-rhel9:v4.16.10-4" }, { "product_name" : "RHODF-4.16-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8479", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package" : "odf4/odf-console-rhel9:v4.16.10-4" }, { "product_name" : "RHODF-4.16-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8479", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package" : "odf4/odf-multicluster-console-rhel9:v4.16.10-3" }, { "product_name" : "RHODF-4.17-RHEL-9", "release_date" : "2025-05-21T00:00:00Z", "advisory" : "RHSA-2025:8059", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package" : "odf4/ocs-client-console-rhel9:v4.17.7-2" }, { "product_name" : "RHODF-4.17-RHEL-9", "release_date" : "2025-05-21T00:00:00Z", "advisory" : "RHSA-2025:8059", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package" : "odf4/odf-console-rhel9:v4.17.7-2" }, { "product_name" : "RHODF-4.17-RHEL-9", "release_date" : "2025-05-21T00:00:00Z", "advisory" : "RHSA-2025:8059", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.17::el9", "package" : "odf4/odf-multicluster-console-rhel9:v4.17.7-2" }, { "product_name" : "RHODF-4.18-RHEL-9", "release_date" : "2025-05-06T00:00:00Z", "advisory" : "RHSA-2025:4511", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.18::el9", "package" : "odf4/ocs-client-console-rhel9:v4.18.2-8" }, { "product_name" : "RHODF-4.18-RHEL-9", "release_date" : "2025-05-06T00:00:00Z", "advisory" : "RHSA-2025:4511", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.18::el9", "package" : "odf4/odf-console-rhel9:v4.18.2-7" }, { "product_name" : "RHODF-4.18-RHEL-9", "release_date" : "2025-05-06T00:00:00Z", "advisory" : "RHSA-2025:4511", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.18::el9", "package" : "odf4/odf-multicluster-console-rhel9:v4.18.2-8" } ], "package_state" : [ { "product_name" : "A-MQ Interconnect 1", "fix_state" : "Affected", "package_name" : "qpid-dispatch", "cpe" : "cpe:/a:redhat:amq_interconnect:1" }, { "product_name" : "Cryostat 2", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Will not fix", "package_name" : "openshift-logging/logging-view-plugin-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Will not fix", "package_name" : "express", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Will not fix", "package_name" : "mta/mta-ui-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Applications 7", "fix_state" : "Will not fix", "package_name" : "mta/mta-cli-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:7" }, { "product_name" : "Migration Toolkit for Applications 7", "fix_state" : "Affected", "package_name" : "mta/mta-ui-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:7" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Not affected", "package_name" : "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Not affected", "package_name" : "multicluster-engine/console-mce-rhel8", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Not affected", "package_name" : "multicluster-engine/multicluster-engine-console-mce-rhel8", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Node HealthCheck Operator", "fix_state" : "Will not fix", "package_name" : "workload-availability/node-remediation-console-rhel8", "cpe" : "cpe:/a:redhat:workload_availability_nhc:0" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Affected", "package_name" : "3scale-amp-system-container", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/console-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-central-db-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-main-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-rhel8-operator", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-central-db-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Affected", "package_name" : "advanced-cluster-security/rhacs-main-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-rhel8-operator", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Not affected", "package_name" : "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-scanner-v4-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "aap-cloud-ui-container", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-eda-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Not affected", "package_name" : "rhdh-operator-container", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Will not fix", "package_name" : "rhdh/rhdh-hub-rhel9", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Discovery 1", "fix_state" : "Will not fix", "package_name" : "discovery-server-container", "cpe" : "cpe:/a:redhat:discovery:1" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "cldr-emoji-annotation", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Affected", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "cldr-emoji-annotation", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "mozjs60", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "cldr-emoji-annotation", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "gjs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "polkit", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "impact" : "low" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "io.hawt-project", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "io.hawt-project", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Will not fix", "package_name" : "odh-dashboard-container", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Will not fix", "package_name" : "odh-operator-container", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "openshift3/ose-console", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/nmstate-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-monitoring-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-networking-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Affected", "package_name" : "ocs4/mcg-core-rhel8", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat OpenShift Data Science (RHODS)", "fix_state" : "Will not fix", "package_name" : "rhods/odh-dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_science" }, { "product_name" : "Red Hat OpenShift Data Science (RHODS)", "fix_state" : "Will not fix", "package_name" : "rhods/odh-operator-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_science" }, { "product_name" : "Red Hat OpenShift Data Science (RHODS)", "fix_state" : "Will not fix", "package_name" : "rhods/odh-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_data_science" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/traefik-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-agent-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Will not fix", "package_name" : "rhosdt/jaeger-all-in-one-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-collector-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-es-index-cleaner-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-es-rollover-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-ingester-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Will not fix", "package_name" : "rhosdt/jaeger-query-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-agent-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Will not fix", "package_name" : "rhosdt/jaeger-all-in-one-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-collector-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-es-index-cleaner-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-es-rollover-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Not affected", "package_name" : "rhosdt/jaeger-ingester-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 3", "fix_state" : "Will not fix", "package_name" : "rhosdt/jaeger-query-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Will not fix", "package_name" : "openshift-gitops-1/argo-rollouts-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/console-plugin-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Will not fix", "package_name" : "container-native-virtualization/kubevirt-console-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenStack Platform 17.1", "fix_state" : "Not affected", "package_name" : "qpid-dispatch", "cpe" : "cpe:/a:redhat:openstack:17.1" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "express", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Will not fix", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "qpid-dispatch", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite-capsule:el8/qpid-dispatch", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/qpid-dispatch", "cpe" : "cpe:/a:redhat:satellite:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-29041\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29041\nhttps://expressjs.com/en/4x/api.html#res.location\nhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd\nhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94\nhttps://github.com/expressjs/express/pull/5539\nhttps://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc\nhttps://github.com/koajs/koa/issues/1800" ], "name" : "CVE-2024-29041", "mitigation" : { "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "lang" : "en:us" }, "csaw" : false }