Описание
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
Отчет
- OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.
- Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF's sg-core-container.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Interconnect 1 | amq-cert-manager-container | Will not fix | ||
| A-MQ Interconnect 1 | amq-interconnect-operator-container | Will not fix | ||
| OpenShift Developer Tools and Services | jenkins-operator-container | Out of support scope | ||
| OpenShift Serverless | openshift-serverless-clients | Affected | ||
| OpenShift Service Mesh 1 | jaeger | Out of support scope | ||
| OpenShift Service Mesh 1 | jaeger-operator | Out of support scope | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | cert-policy-controller | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | configmap-watcher | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | config-policy-controller | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | endpoint-component-operator | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
The x/text package before 0.3.3 for Go has a vulnerability in encoding ...
Moderate: container-tools:rhel8 security, bug fix, and enhancement update
EPSS
7.5 High
CVSS3