Описание
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
A denial of service flaw has been discovered in go-tuf. If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Pipelines | openshift-pipelines/pipelines-chains-controller-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-cli-tkn-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-opc-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-operator-bundle | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-operator-proxy-rhel8 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-operator-proxy-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-operator-webhook-rhel8 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-operator-webhook-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-rhel8-operator | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-rhel9-operator | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
go-tuf is a Go implementation of The Update Framework (TUF). Starting ...
go-tuf affected by client DoS via malformed server response
Уязвимость функции metadata.checkType() фреймворка для обеспечения безопасности систем обновления программного обеспечения go-tuf, позволяющая нарушителю вызвать отказ в обслуживании
5.9 Medium
CVSS3