rhsa-2025_3053
Vulnerability from csaf_redhat
Published
2025-03-20 04:55
Modified
2025-03-27 16:22
Summary
Red Hat Security Advisory: Gatekeeper v3.15.4
Notes
Topic
Gatekeeper v3.15.4
Details
Gatekeeper v3.15.4
Gatekeeper is a validating webhook with auditing capabilities that can
enforce custom resource definition-based policies that are run with the
Open Policy Agent (OPA). Gatekeeper is supported through a Red Hat Advanced
Cluster Management for Kubernetes subscription.
Starting in v3.15, the following namespaces are exempt from admission control:
- kube-*
- multicluster-engine
- hypershift
- hive
- rhacs-operator
- open-cluster-*
- openshift-*
To disable the default exempt namespaces, set the namespaces you want on the
object.
Security fix(es):
* golang.org/x/oauth2: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (CVE-2025-22868)
* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869)
Additional Release Notes:
* v3.15.0 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0
* v3.15.1 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Gatekeeper v3.15.4",
"title": "Topic"
},
{
"category": "general",
"text": "Gatekeeper v3.15.4\n\nGatekeeper is a validating webhook with auditing capabilities that can\nenforce custom resource definition-based policies that are run with the\nOpen Policy Agent (OPA). Gatekeeper is supported through a Red Hat Advanced\nCluster Management for Kubernetes subscription.\n\nStarting in v3.15, the following namespaces are exempt from admission control:\n\n- kube-*\n- multicluster-engine\n- hypershift\n- hive\n- rhacs-operator\n- open-cluster-*\n- openshift-*\n\nTo disable the default exempt namespaces, set the namespaces you want on the\nobject.\n\nSecurity fix(es):\n\n* golang.org/x/oauth2: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (CVE-2025-22868)\n* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869)\n\nAdditional Release Notes:\n\n* v3.15.0 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0\n* v3.15.1 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:3053",
"url": "https://access.redhat.com/errata/RHSA-2025:3053"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0",
"url": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0"
},
{
"category": "external",
"summary": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1",
"url": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1"
},
{
"category": "external",
"summary": "2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "ACM-18305",
"url": "https://issues.redhat.com/browse/ACM-18305"
},
{
"category": "external",
"summary": "ACM-18536",
"url": "https://issues.redhat.com/browse/ACM-18536"
},
{
"category": "external",
"summary": "HYPBLD-606",
"url": "https://issues.redhat.com/browse/HYPBLD-606"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3053.json"
}
],
"title": "Red Hat Security Advisory: Gatekeeper v3.15.4",
"tracking": {
"current_release_date": "2025-03-27T16:22:46+00:00",
"generator": {
"date": "2025-03-27T16:22:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.2"
}
},
"id": "RHSA-2025:3053",
"initial_release_date": "2025-03-20T04:55:47+00:00",
"revision_history": [
{
"date": "2025-03-20T04:55:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-20T04:55:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-27T16:22:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "gatekeeper 3.15 for RHEL 9",
"product": {
"name": "gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:gatekeeper:3.15::el9"
}
}
}
],
"category": "product_family",
"name": "gatekeeper"
},
{
"branches": [
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"product": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"product_id": "gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf?arch=s390x\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9\u0026tag=v3.15.1-30"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"product": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"product_id": "gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460?arch=s390x\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9-operator\u0026tag=v3.15.4-1"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"product": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"product_id": "gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63?arch=amd64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9\u0026tag=v3.15.1-30"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"product": {
"name": "gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"product_id": "gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85?arch=amd64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-operator-bundle\u0026tag=v3.15.4-1"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"product": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"product_id": "gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d?arch=amd64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9-operator\u0026tag=v3.15.4-1"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le",
"product": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le",
"product_id": "gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c?arch=ppc64le\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9\u0026tag=v3.15.1-30"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"product": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"product_id": "gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635?arch=ppc64le\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9-operator\u0026tag=v3.15.4-1"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"product": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"product_id": "gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94?arch=arm64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9\u0026tag=v3.15.1-30"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"product": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"product_id": "gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347?arch=arm64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9-operator\u0026tag=v3.15.4-1"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64 as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64"
},
"product_reference": "gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x"
},
"product_reference": "gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64 as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64"
},
"product_reference": "gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64 as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64"
},
"product_reference": "gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le"
},
"product_reference": "gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64 as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64"
},
"product_reference": "gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64 as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64"
},
"product_reference": "gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x"
},
"product_reference": "gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le as a component of gatekeeper 3.15 for RHEL 9",
"product_id": "9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
},
"product_reference": "gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le",
"relates_to_product_reference": "9Base-gatekeeper-3.15"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/oauth2/jws package in the token parsing component. This vulnerability allows an attacker to cause excessive memory consumption via a malicious malformed token.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-20T04:55:47+00:00",
"details": "For more information, see the following resources:\n\n* See the Gatekeeper\ndocumentation: https://open-policy-agent.github.io/gatekeeper/website/docs/.\n\n* For support and troubleshooting, Gatekeeper is supported through a Red Hat Advanced Cluster Management for\nKubernetes subscription:\nhttps://access.redhat.com/products/red-hat-advanced-cluster-management-for-kubernetes.\n\n* The Open Policy Agent Gatekeeper community collaborates on Slack. Join the \n#opa-gatekeeper channel: https://openpolicyagent.slack.com/archives/CDTN970AX.\n\n* Open issues on the Gatekeeper GitHub repository: https://github.com/open-policy-agent/gatekeeper/issues.\n\n* See the installation and upgrade documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/install.",
"product_ids": [
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3053"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-22869",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-26T04:00:47.683125+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "RHBZ#2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://go.dev/cl/652135",
"url": "https://go.dev/cl/652135"
},
{
"category": "external",
"summary": "https://go.dev/issue/71931",
"url": "https://go.dev/issue/71931"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3487",
"url": "https://pkg.go.dev/vuln/GO-2025-3487"
}
],
"release_date": "2025-02-26T03:07:48.855000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-20T04:55:47+00:00",
"details": "For more information, see the following resources:\n\n* See the Gatekeeper\ndocumentation: https://open-policy-agent.github.io/gatekeeper/website/docs/.\n\n* For support and troubleshooting, Gatekeeper is supported through a Red Hat Advanced Cluster Management for\nKubernetes subscription:\nhttps://access.redhat.com/products/red-hat-advanced-cluster-management-for-kubernetes.\n\n* The Open Policy Agent Gatekeeper community collaborates on Slack. Join the \n#opa-gatekeeper channel: https://openpolicyagent.slack.com/archives/CDTN970AX.\n\n* Open issues on the Gatekeeper GitHub repository: https://github.com/open-policy-agent/gatekeeper/issues.\n\n* See the installation and upgrade documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/install.",
"product_ids": [
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3053"
},
{
"category": "workaround",
"details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
"product_ids": [
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x",
"9Base-gatekeeper-3.15:gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.