Action not permitted
Modal body text goes here.
cve-2025-22866
Vulnerability from cvelistv5
Published
2025-02-06 16:54
Modified
2025-02-21 18:03
Severity ?
EPSS score ?
Summary
Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Go standard library | crypto/internal/nistec |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T20:40:17.232803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T14:47:25.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-21T18:03:36.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250221-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/internal/nistec",
"product": "crypto/internal/nistec",
"programRoutines": [
{
"name": "p256NegCond"
},
{
"name": "P256Point.ScalarBaseMult"
},
{
"name": "P256Point.ScalarMult"
},
{
"name": "P256Point.SetBytes"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.22.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.23.6",
"status": "affected",
"version": "1.23.0-0",
"versionType": "semver"
},
{
"lessThan": "1.24.0-rc.3",
"status": "affected",
"version": "1.24.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T16:54:10.252Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/643735"
},
{
"url": "https://go.dev/issue/71383"
},
{
"url": "https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3447"
}
],
"title": "Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-22866",
"datePublished": "2025-02-06T16:54:10.252Z",
"dateReserved": "2025-01-08T19:11:42.834Z",
"dateUpdated": "2025-02-21T18:03:36.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-22866\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2025-02-06T17:15:21.410\",\"lastModified\":\"2025-02-21T18:15:32.243\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.\"},{\"lang\":\"es\",\"value\":\"Debido al uso de una instrucci\u00f3n de tiempo variable en la implementaci\u00f3n de ensamblaje de una funci\u00f3n interna, se filtra una peque\u00f1a cantidad de bits de escalares secretos en la arquitectura ppc64le. Debido a la forma en que se utiliza esta funci\u00f3n, no creemos que esta filtraci\u00f3n sea suficiente para permitir la recuperaci\u00f3n de la clave privada cuando se utiliza P-256 en cualquier protocolo conocido.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":1.4}]},\"references\":[{\"url\":\"https://go.dev/cl/643735\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/issue/71383\",\"source\":\"security@golang.org\"},{\"url\":\"https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k\",\"source\":\"security@golang.org\"},{\"url\":\"https://pkg.go.dev/vuln/GO-2025-3447\",\"source\":\"security@golang.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250221-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
rhsa-2025_2789
Vulnerability from csaf_redhat
Published
2025-03-13 14:28
Modified
2025-03-26 23:00
Summary
Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.5.0 release
Notes
Topic
Red Hat build of OpenTelemetry 3.5.0 has been released
Details
Release of Red Hat OpenShift distributed tracing provides following security improvements, bug fixes, and new features.
Breaking changes:
* Nothing
Deprecations:
* In the Red Hat build of OpenTelemetry 3.5, the Loki Exporter, which is a temporary Technology Preview feature, is deprecated. The Loki Exporter is planned to be removed in the Red Hat build of OpenTelemetry 3.6. If you currently use the Loki Exporter for the OpenShift Logging 6.1 or later, replace the Loki Exporter with the OTLP HTTP Exporter.
Technology Preview features:
* AWS CloudWatch Exporter
* AWS EMF Exporter
* AWS X-Ray Exporter
Enhancements:
* The following Technology Preview features reach General Availability:
* Host Metrics Receiver
* Kubelet Stats Receiver
* With this update, the OpenTelemetry Collector uses the OTLP HTTP Exporter to push logs to the OpenShift Logging (LokiStack) 6.1 or later.
* With this update, the Operator automatically creates RBAC rules for the Kubernetes Events Receiver (k8sevents), Kubernetes Cluster Receiver (k8scluster), and Kubernetes Objects Receiver (k8sobjects) if the Operator has sufficient permissions.
For more information, see "Creating the required RBAC resources automatically": https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry/configuring-the-collector#otel-creating-required-RBAC-resources-automatically_otel-configuration-of-otel-collector
Bug fixes:
* Before this update, manually created routes for the Collector services were unintentionally removed when the Operator pod was restarted. With this update, restarting the Operator pod does not result in the removal of the manually created routes.
Known issues:
* Nothing
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat build of OpenTelemetry 3.5.0 has been released",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift distributed tracing provides following security improvements, bug fixes, and new features.\nBreaking changes:\n* Nothing\n\nDeprecations:\n* In the Red Hat build of OpenTelemetry 3.5, the Loki Exporter, which is a temporary Technology Preview feature, is deprecated. The Loki Exporter is planned to be removed in the Red Hat build of OpenTelemetry 3.6. If you currently use the Loki Exporter for the OpenShift Logging 6.1 or later, replace the Loki Exporter with the OTLP HTTP Exporter.\n\nTechnology Preview features:\n* AWS CloudWatch Exporter\n* AWS EMF Exporter\n* AWS X-Ray Exporter\n\nEnhancements:\n* The following Technology Preview features reach General Availability:\n\n * Host Metrics Receiver\n\n * Kubelet Stats Receiver\n\n* With this update, the OpenTelemetry Collector uses the OTLP HTTP Exporter to push logs to the OpenShift Logging (LokiStack) 6.1 or later.\n* With this update, the Operator automatically creates RBAC rules for the Kubernetes Events Receiver (k8sevents), Kubernetes Cluster Receiver (k8scluster), and Kubernetes Objects Receiver (k8sobjects) if the Operator has sufficient permissions.\n For more information, see \"Creating the required RBAC resources automatically\": https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry/configuring-the-collector#otel-creating-required-RBAC-resources-automatically_otel-configuration-of-otel-collector\n\n\nBug fixes:\n* Before this update, manually created routes for the Collector services were unintentionally removed when the Operator pod was restarted. With this update, restarting the Operator pod does not result in the removal of the manually created routes. \nKnown issues:\n* Nothing",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:2789",
"url": "https://access.redhat.com/errata/RHSA-2025:2789"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-45336",
"url": "https://access.redhat.com/security/cve/CVE-2024-45336"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-56171",
"url": "https://access.redhat.com/security/cve/CVE-2024-56171"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-22866",
"url": "https://access.redhat.com/security/cve/CVE-2025-22866"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-24528",
"url": "https://access.redhat.com/security/cve/CVE-2025-24528"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-24928",
"url": "https://access.redhat.com/security/cve/CVE-2025-24928"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2789.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.5.0 release",
"tracking": {
"current_release_date": "2025-03-26T23:00:43+00:00",
"generator": {
"date": "2025-03-26T23:00:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.1"
}
},
"id": "RHSA-2025:2789",
"initial_release_date": "2025-03-13T14:28:17+00:00",
"revision_history": [
{
"date": "2025-03-13T14:28:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-24T14:28:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-26T23:00:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift distributed tracing 3.5",
"product": {
"name": "Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift distributed tracing"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-operator-bundle@sha256%3Ad23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel8@sha256%3Af9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel8-operator@sha256%3Ae2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel8@sha256%3A0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel8@sha256%3A12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel8-operator@sha256%3A7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel8@sha256%3Abf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81?arch=arm64\u0026repository_url=registry.redhat.io/rhosdt"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel8@sha256%3A8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel8-operator@sha256%3Affd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel8@sha256%3Acced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-collector-rhel8@sha256%3A92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-rhel8-operator@sha256%3Aadb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x",
"product": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x",
"product_id": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/opentelemetry-target-allocator-rhel8@sha256%3Ae3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64 as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64 as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64 as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64 as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64 as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64 as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64 as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x as a component of Red Hat OpenShift distributed tracing 3.5",
"product_id": "Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
},
"product_reference": "registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x",
"relates_to_product_reference": "Red Hat OpenShift distributed tracing 3.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45336",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2025-01-23T12:57:38.123000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2341751"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http package of the Golang standard library. The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to `a.com/` containing an Authorization header redirected to `b.com/` will not send that header to `b.com`. However, the sensitive headers would be restored if the client received a subsequent same-domain redirect. For example, a chain of redirects from `a.com/`, to `b.com/1`, and finally to `b.com/2` would incorrectly send the Authorization header to `b.com/2`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-45336"
},
{
"category": "external",
"summary": "RHBZ#2341751",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2341751"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-45336",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45336"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45336",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45336"
}
],
"release_date": "2025-01-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-13T14:28:17+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2789"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect"
},
{
"cve": "CVE-2024-56171",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2025-02-18T23:01:25.366636+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2346416"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxml2. This vulnerability allows a use-after-free via a crafted XML document validated against an XML schema with certain identity constraints or a crafted XML schema.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml2: Use-After-Free in libxml2",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as important because it involves a use-after-free flaw in the xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables functions. A maliciously crafted XML document or schema, containing specific identity constraints, can be used to trigger this vulnerability and potentially gain unauthorized access or cause a denial-of-service condition.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-56171"
},
{
"category": "external",
"summary": "RHBZ#2346416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2346416"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-56171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-56171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56171"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/828",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/828"
}
],
"release_date": "2025-02-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-13T14:28:17+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2789"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml2: Use-After-Free in libxml2"
},
{
"cve": "CVE-2025-22866",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2025-02-06T17:00:56.155646+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2344219"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Golang crypto/internal/nistec package. Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Considering how this function is used, this leakage is likely insufficient to recover the private key when P-256 is used in any well-known protocols.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22866"
},
{
"category": "external",
"summary": "RHBZ#2344219",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344219"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22866",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22866"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22866",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22866"
},
{
"category": "external",
"summary": "https://go.dev/cl/643735",
"url": "https://go.dev/cl/643735"
},
{
"category": "external",
"summary": "https://go.dev/issue/71383",
"url": "https://go.dev/issue/71383"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k",
"url": "https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3447",
"url": "https://pkg.go.dev/vuln/GO-2025-3447"
}
],
"release_date": "2025-02-06T16:54:10.252000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-13T14:28:17+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2789"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec"
},
{
"cve": "CVE-2025-24528",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2025-01-29T13:47:59.362000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2342796"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in krb5. With incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file. This issue can trigger a process crash and lead to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "krb5: overflow when calculating ulog block size",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-24528"
},
{
"category": "external",
"summary": "RHBZ#2342796",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342796"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-24528",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24528"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-24528",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24528"
},
{
"category": "external",
"summary": "https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0",
"url": "https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0"
}
],
"release_date": "2024-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-13T14:28:17+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2789"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "krb5: overflow when calculating ulog block size"
},
{
"cve": "CVE-2025-24928",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"discovery_date": "2025-02-18T23:01:36.502916+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2346421"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxml2. This vulnerability allows a stack-based buffer overflow via DTD validation of an untrusted document or untrusted DTD.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml2: Stack-based buffer overflow in xmlSnprintfElements of libxml2",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as important because it involves a stack-based buffer overflow in the xmlSnprintfElements function within valid.c. Exploiting this issue requires DTD validation to occur on an untrusted document or untrusted DTD, making it a potential security risk for applications using libxml2 that do not adequately restrict DTD input.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
],
"known_not_affected": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-24928"
},
{
"category": "external",
"summary": "RHBZ#2346421",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2346421"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-24928",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24928"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-24928",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24928"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/847",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/847"
},
{
"category": "external",
"summary": "https://issues.oss-fuzz.com/issues/392687022",
"url": "https://issues.oss-fuzz.com/issues/392687022"
}
],
"release_date": "2025-02-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-13T14:28:17+00:00",
"details": "For details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators",
"product_ids": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2789"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:12407a15fefa30bb851444d27b00e1815970ae085deca7c17537612ec9e4bff6_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:8b7455c14f26b80006568829343688b50ad1c563d339c35f70eb7d561499bc1c_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:92613ae031dd45d85151ff1bd0703ee6bbc6842133cdc51b274769122ea40ac8_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-collector-rhel8@sha256:f9ec6952abc11519409299f0dfffae3b520395cc122d1f2cd375d65492c6aed7_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-operator-bundle@sha256:d23b9c8d0266de7ce5427d125b2749053d2e4b44d632e3eb484775a5eede41b0_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:7e0320614f3be4e8bb1442d5890d2a6cebaf0a1038599d6afbf50daca91e1d65_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:adb1f41e544331b0936c6591edb00c169a9e5a2592c12f6ee55aaab8786ff5ba_s390x",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:e2375ae72ddda9e05e66972adb7bf953bfbf220dcc8b36d6eb1ab76d9e96ff5d_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-rhel8-operator@sha256:ffd6b70068dd4d6bf7a835c0bbf5b934f26ff2b0f5755130dccb099340550083_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:0742729985d0b1ce925bdaaa92c2bb42272902f4c2e93038c0fcf171c7baf03f_amd64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:bf3aa3e5522cf90d82fbd34710e08448a93b88a9876c77415a1027f83a195a81_arm64",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:cced4191c3e84f44eca2ed486592c473f97fd5cd0941edb9d216051802dad3f7_ppc64le",
"Red Hat OpenShift distributed tracing 3.5:registry.redhat.io/rhosdt/opentelemetry-target-allocator-rhel8@sha256:e3f56102b0cf46e862fc1e015516c5364e49d02cd6ca112b72b1fa3287a96a2d_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml2: Stack-based buffer overflow in xmlSnprintfElements of libxml2"
}
]
}
ghsa-3whm-j4xm-rv8x
Vulnerability from github
Published
2025-02-06 18:31
Modified
2025-02-21 18:31
Severity ?
Details
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
{
"affected": [],
"aliases": [
"CVE-2025-22866"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-06T17:15:21Z",
"severity": "HIGH"
},
"details": "Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.",
"id": "GHSA-3whm-j4xm-rv8x",
"modified": "2025-02-21T18:31:07Z",
"published": "2025-02-06T18:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22866"
},
{
"type": "WEB",
"url": "https://go.dev/cl/643735"
},
{
"type": "WEB",
"url": "https://go.dev/issue/71383"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3447"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250221-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.