CVE-2021-29059

Отчет

Since OpenShift Service Mesh 1.1.x is in its maintenance phase, only Important and Criticals will be fixed at this time. In Red Hat OpenShift Container Platform (RHOCP) and OpenShift Service Mesh (OSSM), the affected components are behind OpenShift OAuth. This restricts access to the vulnerable is-svg library to authenticated users only, therefore the impact is low. OCP 4 delivers the kibana package where the is-svg is bundled, but during the update to container first (to openshift4/ose-logging-kibana6 starting in OCP 4.5) the dependency was removed and hence the kibana package is marked as wontfix. In OCP the grafana container bundles is-svg library, but as the Grafana dashboard is read-only, injecting the malicious string is not be possible, therefore this component has been marked as wontfix at this time and may be fixed in a future release. In Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are not longer in use for 2.2 and 2.3, except for console-ui-container in 2.1, which is behind the OAuth, which in case the impact is marked as low. RHACM 2.1 is in its maintenance phase, so only Important and Criticals will be fixed at this time. In Red Hat Virtualization a vulnerable version of is-svg is used in ovirt-web-ui and ovirt-engine-ui-extensions. It is a build-time dependency not exploitable in the delivered product. Therefore impact is rated Low and it will not be immediately fixed. An update may be provided in future releases.