Описание
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().
Отчет
rhdh-hub-container 1.2 and 1.3 have included patches for this vulnerability.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 3 | serve-static | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-view-plugin-rhel9 | Not affected | ||
| Migration Toolkit for Applications 7 | mta/mta-cli-rhel9 | Will not fix | ||
| Migration Toolkit for Applications 7 | mta/mta-ui-rhel9 | Will not fix | ||
| Migration Toolkit for Runtimes | serve-static | Will not fix | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Not affected | ||
| Node HealthCheck Operator | workload-availability/node-remediation-console-rhel8 | Will not fix | ||
| OpenShift Lightspeed | openshift-lightspeed-beta/lightspeed-console-plugin-rhel9 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel8 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS3
Связанные уязвимости
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
serve-static affected by template injection that can lead to XSS
serve-static serves static files. serve-static passes untrusted user i ...
serve-static vulnerable to template injection that can lead to XSS
EPSS
5 Medium
CVSS3