ID

VAR-202004-2191


CVE

CVE-2020-11022


TITLE

jQuery  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004854

DESCRIPTION

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. jQuery Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. jQuery is an open source, cross-browser JavaScript library developed by American John Resig programmers. The library simplifies the operation between HTML and JavaScript, and has the characteristics of modularization and plug-in extension. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. Description: * Fixed two jQuery vulnerabilities (CVE-2020-11022, CVE-2020-11023) * Improved Ansible Tower's web service configuration to allow for processing more simultaneous HTTP(s) requests by default * Updated several dependencies of Ansible Tower's User Interface to address (CVE-2020-7720, CVE-2020-7743, CVE-2020-7676) * Updated to the latest version of python-psutil to address CVE-2019-18874 * Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases * Fixed workflows to no longer prevent certain users from being able to edit approval nodes * Fixed confusing behavior for social auth logins across distinct browser tabs * Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials 3. Solution: For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/ index.html 4. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202007-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ <https://security.gentoo.org/> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Cacti: Multiple vulnerabilities Date: July 26, 2020 Bugs: #728678, #732522 ID: 202007-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Cacti, the worst of which could result in the arbitrary execution of code. Background ========== Cacti is a complete frontend to rrdtool. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/cacti < 1.2.13 >= 1.2.13 2 net-analyzer/cacti-spine < 1.2.13 >= 1.2.13 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Cacti. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Cacti users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.13" All Cacti Spine users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-analyzer/cacti-spine-1.2.13" References ========== [ 1 ] CVE-2020-11022 https://nvd.nist.gov/vuln/detail/CVE-2020-11022 <https://nvd.nist.gov/vuln/detail/CVE-2020-11022> [ 2 ] CVE-2020-11023 https://nvd.nist.gov/vuln/detail/CVE-2020-11023 <https://nvd.nist.gov/vuln/detail/CVE-2020-11023> [ 3 ] CVE-2020-14295 https://nvd.nist.gov/vuln/detail/CVE-2020-14295 <https://nvd.nist.gov/vuln/detail/CVE-2020-14295> Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202007-03 <https://security.gentoo.org/glsa/202007-03> Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org <mailto:security@gentoo.org> or alternatively, you may file a bug at https://bugs.gentoo.org <https://bugs.gentoo.org/>. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 <https://creativecommons.org/licenses/by-sa/2.5> . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update Advisory ID: RHSA-2020:3247-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2020:3247 Issue date: 2020-08-04 CVE Names: CVE-2017-18635 CVE-2019-8331 CVE-2019-10086 CVE-2019-13990 CVE-2019-17195 CVE-2019-19336 CVE-2020-7598 CVE-2020-10775 CVE-2020-11022 CVE-2020-11023 ===================================================================== 1. Summary: Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch, x86_64 3. Description: The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API). A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht ml-single/technical_notes Security Fix(es): * apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * libquartz: XXE attacks via job description (CVE-2019-13990) * novnc: XSS vulnerability via the messages propagated to the status field (CVE-2017-18635) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195) * ovirt-engine: response_type parameter allows reflected XSS (CVE-2019-19336) * nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598) * ovirt-engine: Redirect to arbitrary URL allows for phishing (CVE-2020-10775) * Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1080097 - [RFE] Allow editing disks details in the Disks tab 1325468 - [RFE] Autostart of VMs that are down (with Engine assistance - Engine has to be up) 1358501 - [RFE] multihost network change - notify when done 1427717 - [RFE] Create and/or select affinity group upon VM creation. 1475774 - RHV-M requesting four GetDeviceListVDSCommand when editing storage domain 1507438 - not able to deploy new rhvh host when "/tmp" is mounted with "noexec" option 1523835 - Hosted-Engine: memory hotplug does not work for engine vm 1527843 - [Tracker] Q35 chipset support (with seabios) 1529042 - [RFE] Changing of Cluster CPU Type does not trigger config update notification 1535796 - Undeployment of HE is not graceful 1546838 - [RFE] Refuse to deploy on localhost.localdomain 1547937 - [RFE] Live Storage Migration progress bar. 1585986 - [HE] When lowering the cluster compatibility, we need to force update the HE storage OVF store to ensure it can start up (migration will not work). 1593800 - [RFE] forbid new mac pools with overlapping ranges 1596178 - inconsistent display between automatic and manual Pool Type 1600059 - [RFE] Add by default a storage lease to HA VMs 1610212 - After updating to RHV 4.1 while trying to edit the disk, getting error "Cannot edit Virtual Disk. Cannot edit Virtual Disk. Disk extension combined with disk compat version update isn't supported. Please perform the updates separately." 1611395 - Unable to list Compute Templates in RHV 4.2 from Satellite 6.3.2 1616451 - [UI] add a tooltip to explain the supported matrix for the combination of disk allocation policies, formats and the combination result 1637172 - Live Merge hung in the volume deletion phase, leaving snapshot in a LOCKED state 1640908 - Javascript Error popup when Managing StorageDomain with LUNs and 400+ paths 1642273 - [UI] - left nav border highlight missing in RHV 1647440 - [RFE][UI] Provide information about the VM next run 1648345 - Jobs are not properly cleaned after a failed task. 1650417 - HA is broken for VMs having disks in NFS storage domain because of Qemu OFD locking 1650505 - Increase of ClusterCompatibilityVersion to Cluster with virtual machines with outstanding configuration changes, those changes will be reverted 1651406 - [RFE] Allow Maintenance of Host with Enforcing VM Affinity Rules (hard affinity) 1651939 - a new size of the direct LUN not updated in Admin Portal 1654069 - [Downstream Clone] [UI] - grids bottom scrollbar hides bottom row 1654889 - [RFE] Support console VNC for mediated devices 1656621 - Importing VM OVA always enables 'Cloud-Init/Sysprep' 1658101 - [RESTAPI] Adding ISO disables serial console 1659161 - Unable to edit pool that is delete protected 1660071 - Regression in Migration of VM that starts in pause mode: took 11 hours 1660644 - Concurrent LSMs of the same disk can be issued via the REST-API 1663366 - USB selection option disabled even though USB support is enabled in RHV-4.2 1664479 - Third VM fails to get migrated when host is placed into maintenance mode 1666913 - [UI] warn users about different "Vdsm Name" when creating network with a fancy char or long name 1670102 - [CinderLib] - openstack-cinder and cinderlib packages are not installed on ovirt-engine machine 1671876 - "Bond Active Slave" parameter on RHV-M GUI shows an incorrect until Refresh Caps 1679039 - Unable to upload image through Storage->Domain->Disk because of wrong DC 1679110 - [RFE] change Admin Portal toast notifications location 1679471 - [ja, de, es, fr, pt_BR] The console client resources page shows truncated title for some locales 1679730 - Warn about host IP addresses outside range 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute 1686650 - Memory snapshots' deletion logging unnecessary WARNINGS in engine.log 1687345 - Snapshot with memory volumes can fail if the memory dump takes more than 180 seconds 1690026 - [RFE] - Creating an NFS storage domain the engine should let the user specify exact NFS version v4.0 and not just v4 1690155 - Disk migration progress bar not clearly visible and unusable. 1690475 - When a live storage migration fails, the auto generated snapshot does not get removed 1691562 - Cluster level changes are not increasing VMs generation numbers and so a new OVF_STORE content is not copied to the shared storage 1692592 - "Enable menu to select boot device shows 10 device listed with cdrom at 10th slot but when selecting 10 option the VM took 1 as option and boot with disk 1693628 - Engine generates too many updates to vm_dynamic table due to the session change 1693813 - Do not change DC level if there are VMs running/paused with older CL. 1695026 - Failure in creating snapshots during "Live Storage Migration" can result in a nonexistent snapshot 1695635 - [RFE] Improve Host Drop-down menu in different Dialogs (i.e. Alphabetical sort of Hosts in Remove|New StorageDomains) 1696245 - [RFE] Allow full customization while cloning a VM 1696669 - Build bouncycastle for RHV 4.4 RHEL 8 1696676 - Build ebay-cors-filter for RHV 4.4 RHEL 8 1698009 - Build openstack-java-sdk for RHV 4.4 RHEL 8 1698102 - Print a warning message to engine-setup, which highlights that other clusters than the Default one are not modified to use ovirt-provider-ovn as the default network provider 1700021 - [RFE] engine-setup should warn and prompt if ca.pem is missing but other generated pki files exist 1700036 - [RFE] Add RedFish API for host power management for RHEV 1700319 - VM is going to pause state with "storage I/O error". 1700338 - [RFE] Alternate method to configure the email Event Notifier for a user in RHV through API (instead of RHV GUI) 1700725 - [scale] RHV-M runs out of memory due to to much data reported by the guest agent 1700867 - Build makeself for RHV 4.4 RHEL 8 1701476 - Build unboundid-ldapsdk for RHV 4.4 RHEL 8 1701491 - Build RHV-M 4.4 - RHEL 8 1701522 - Build ovirt-imageio-proxy for RHV 4.4 / RHEL 8 1701528 - Build / Tag python-ovsdbapp for RHV 4.4 RHEL 8 1701530 - Build / Tag ovirt-cockpit-sso for RHV 4.4 RHEL 8 1701531 - Build / Tag ovirt-engine-api-explorer for RHV 4.4 RHEL 8 1701533 - Build / Tag ovirt-engine-dwh for RHV 4.4 / RHEL 8 1701538 - Build / Tag vdsm-jsonrpc-java for RHV 4.4 RHEL 8 1701544 - Build rhvm-dependencies for RHV 4.4 RHEL 8 1702310 - Build / Tag ovirt-engine-ui-extensions for RHV 4.4 RHEL 8 1702312 - Build ovirt-log-collector for RHV 4.4 RHEL 8 1703112 - PCI address of NICs are not stored in the database after a hotplug of passthrough NIC resulting in change of network device name in VM after a reboot 1703428 - VMs migrated from KVM to RHV show warning 'The latest guest agent needs to be installed and running on the guest' 1707225 - [cinderlib] Cinderlib DB is missing a backup and restore option 1708624 - Build rhvm-setup-plugins for RHV 4.4 - RHEL 8 1710491 - No EVENT_ID is generated in /var/log/ovirt-engine/engine.log when VM is rebooted from OS level itself. 1711006 - Metrics installation fails during the execution of playbook ovirt-metrics-store-installation if the environment is not having DHCP 1712255 - Drop 4.1 datacenter/cluster level 1712746 - [RFE] Ignition support for ovirt vms 1712890 - engine-setup should check for snapshots in unsupported CL 1714528 - Missing IDs on cluster upgrade buttons 1714633 - Using more than one asterisk in the search string is not working when searching for users. 1714834 - Cannot disable SCSI passthrough using API 1715725 - Sending credentials in query string logs them in ovirt-request-logs 1716590 - [RFE][UX] Make Cluster-wide "Custom serial number policy" value visible at VM level 1718818 - [RFE] Enhance local disk passthrough 1720686 - Tag ovirt-scheduler-proxy for RHV 4.4 RHEL 8 1720694 - Build ovirt-engine-extension-aaa-jdbc for RHV 4.4 RHEL 8 1720795 - New guest tools are available mark in case of guest tool located on Data Domain 1724959 - RHV recommends reporting issues to GitHub rather than access.redhat.com (ovirt->RHV rebrand glitch?) 1727025 - NPE in DestroyImage endAction during live merge leaving a task in DB for hours causing operations depending on host clean tasks to fail as Deactivate host/StopSPM/deactivate SD 1728472 - Engine reports network out of sync due to ipv6 default gateway via ND RA on a non default route network. 1729511 - engine-setup fails to upgrade to 4.3 with Unicode characters in CA subject 1729811 - [scale] updatevmdynamic broken if too many users logged in - psql ERROR: value too long for type character varying(255) 1730264 - VMs will fail to start if the vnic profile attached is having port mirroring enabled and have name greater than 15 characters 1730436 - Snapshot creation was successful, but snapshot remains locked 1731212 - RHV 4.4 landing page does not show login or allow scrolling. 1731590 - Cannot preview snapshot, it fails and VM remains locked. 1733031 - [RFE] Add warning when importing data domains to newer DC that may trigger SD format upgrade 1733529 - Consume python-ovsdbapp dependencies from OSP in RHEL 8 RHV 4.4 1733843 - Export to OVA fails if VM is running on the Host doing the export 1734839 - Unable to start guests in our Power9 cluster without running in headless mode. 1737234 - Attach a non-existent ISO to vm by the API return 201 and marks the Attach CD checkbox as ON 1737684 - Engine deletes the leaf volume when SnapshotVDSCommand timed out without checking if the volume is still used by the VM 1740978 - [RFE] Warn or Block importing VMs/Templates from unsupported compatibility levels. 1741102 - host activation causes RHHI nodes to lose the quorum 1741271 - Move/Copy disk are blocked if there is less space in source SD than the size of the disk 1741625 - VM fails to be re-started with error: Failed to acquire lock: No space left on device 1743690 - Commit and Undo buttons active when no snapshot selected 1744557 - RHV 4.3 throws an exception when trying to access VMs which have snapshots from unsupported compatibility levels 1745384 - [IPv6 Static] Engine should allow updating network's static ipv6gateway 1745504 - Tag rhv-log-collector-analyzer for RHV 4.4 RHEL 8 1746272 - [BREW BUILD ENABLER] Build the oVirt Ansible roles for RHV 4.4.0 1746430 - [Rebase] Rebase v2v-conversion-host for RHV 4.4 Engine 1746877 - [Metrics] Rebase bug - for the 4.4 release on EL8 1747772 - Extra white space at the top of webadmin dialogs 1749284 - Change the Snapshot operation to be asynchronous 1749944 - teardownImage attempts to deactivate in-use LV's rendering the VM disk image/volumes in locked state. 1750212 - MERGE_STATUS fails with 'Invalid UUID string: mapper' when Direct LUN that already exists is hot-plugged 1750348 - [Tracking] rhvm-branding-rhv for RHV 4.4 1750357 - [Tracking] ovirt-web-ui for RHV 4.4 1750371 - [Tracking] ovirt-engine-ui-extensions for RHV 4.4 1750482 - From VM Portal, users cannot create Operating System Windows VM. 1751215 - Unable to change Graphical Console of HE VM. 1751268 - add links to Insights to landing page 1751423 - Improve description of shared memory statistics and remove unimplemented memory metrics from API 1752890 - Build / Tag ovirt-engine-extension-aaa-ldap for RHV 4.4 RHEL 8 1752995 - [RFE] Need to be able to set default console option 1753629 - Build / Tag ovirt-engine-extension-aaa-misc for RHV 4.4 RHEL 8 1753661 - Build / Tag ovirt-engine-extension-logger-log4j got RHV 4.4 / RHEl 8 1753664 - Build ovirt-fast-forward-upgrade for RHV 4.4 /RHEL 8 support 1754363 - [Scale] Engine generates excessive amount of dns configuration related sql queries 1754490 - RHV Manager cannot start on EAP 7.2.4 1755412 - Setting "oreg_url: registry.redhat.io" fails with error 1758048 - clone(as thin) VM from template or create snapshot fails with 'Requested capacity 1073741824 < parent capacity 3221225472 (volume:1211)' 1758289 - [Warn] Duplicate chassis entries in southbound database if the host is down while removing the host from Manager 1762281 - Import of OVA created from template fails with java.lang.NullPointerException 1763992 - [RFE] Show "Open Console" as the main option in the VM actions menu 1764289 - Document details how each fence agent can be configured in RESTAPI 1764791 - CVE-2019-17195 nimbus-jose-jwt: Uncaught exceptions while parsing a JWT 1764932 - [BREW BUILD ENABLER] Build the ansible-runner-service for RHV 4.4 1764943 - Create Snapshot does not proceed beyond CreateVolume 1764959 - Apache is configured to offer TRACE method (security) 1765660 - CVE-2017-18635 novnc: XSS vulnerability via the messages propagated to the status field 1767319 - [RFE] forbid updating mac pool that contains ranges overlapping with any mac range in the system 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default 1768707 - Cannot set or update iscsi portal group tag when editing storage connection via API 1768844 - RHEL Advanced virtualization module streams support 1769463 - [Scale] Slow performance for api/clusters when many networks devices are present 1770237 - Cannot assign a vNIC profile for VM instance profile. 1771793 - VM Portal crashes in what appears to be a permission related problem. 1773313 - RHV Metric store installation fails with error: "You need to install \"jmespath\" prior to running json_query filter" 1777954 - VM Templates greater then 101 quantity are not listed/reported in RHV-M Webadmin UI. 1779580 - drop rhvm-doc package 1781001 - CVE-2019-19336 ovirt-engine: response_type parameter allows reflected XSS 1782236 - Windows Update (the drivers) enablement 1782279 - Warning message for low space is not received on Imported Storage domain 1782882 - qemu-kvm: kvm_init_vcpu failed: Function not implemented 1784049 - Rhel6 guest with cluster default q35 chipset causes kernel panic 1784385 - Still requiring rhvm-doc in rhvm-setup-plugins 1785750 - [RFE] Ability to change default VM action (Suspend) in the VM Portal. 1788424 - Importing a VM having direct LUN attached using virtio driver is failing with error "VirtIO-SCSI is disabled for the VM" 1796809 - Build apache-sshd for RHV 4.4 RHEL 8 1796811 - Remove bundled apache-sshd library 1796815 - Build snmp4j for RHV 4.4 RHEL 8 1796817 - Remove bundled snmp4j library 1797316 - Snapshot creation from VM fails on second snapshot and afterwords 1797500 - Add disk operation failed to complete. 1798114 - Build apache-commons-digester for RHV 4.4 RHEL 8 1798117 - Build apache-commons-configuration for RHV 4.4 RHEL 8 1798120 - Build apache-commons-jexl for RHV 4.4 RHEL 8 1798127 - Build apache-commons-collections4 for RHV 4.4 RHEL 8 1798137 - Build apache-commons-vfs for RHV 4.4 RHEL 8 1799171 - Build ws-commons-util for RHV 4.4 RHEL 8 1799204 - Build xmlrpc for RHV 4.4 RHEL 8 1801149 - CVE-2019-13990 libquartz: XXE attacks via job description 1801709 - Disable activation of the host while Enroll certificate flow is still in progress 1803597 - rhv-image-discrepancies should skip storage domains in maintenance mode and ISO/Export 1805669 - change requirement on rhvm package from spice-client-msi to spice-client-win 1806276 - [HE] ovirt-provider-ovn is non-functional on 4.3.9 Hosted-Engine 1807047 - Build m2crypto for RHV 4.4 RHEL 8 1807860 - [RFE] Allow resource allocation options to be customized 1808096 - Uploading ISOs causes "Uncaught exception occurred. Please try reloading the page. Details: (TypeError) : a.n is null" 1808126 - host_service.install() does not work with deploy_hosted_engine as True. 1809040 - [CNV&RHV] let the user know that token is not valid anymore 1809052 - [CNV&RHV] ovirt-engine log file spammed by failed timers ( approx 3-5 messages/sec ) 1809875 - rhv-image-discrepancies only compares images on the last DC 1809877 - rhv-image-discrepancies sends dump-volume-chains with parameter that is ignored 1810893 - mountOptions is ignored for "import storage domain" from GUI 1811865 - [Scale] Host Monitoring generates excessive amount of qos related sql queries 1811869 - [Scale] Webadmin\REST for host interface list response time is too long because of excessive amount of qos related sql queries 1812875 - Unable to create VMs when french Language is selected for the rhvm gui. 1813305 - Engine updating SLA policies of VMs continuously in an environment which is not having any QOS configured 1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload 1814197 - [CNV&RHV] when provider is remover DC is left behind and active 1814215 - [CNV&RHV] Adding new provider to engine fails after succesfull test 1816017 - Build log4j12 for RHV 4.4 EL8 1816643 - [CNV&RHV] VM created in CNV not visible in RHV 1816654 - [CNV&RHV] adding provider with already created vm failed 1816693 - [CNV&RHV] CNV VM failed to restart even if 1st dialog looks fine 1816739 - [CNV&RHV] CNV VM updated form CNV side doesn't update vm properties over on RHV side 1817467 - [Tracking] Migration path between RHV 4.3 and 4.4 1818745 - rhv-log-collector-analyzer 0.2.17 still requires pyhton2 1819201 - [CodeChange][i18n] oVirt 4.4 rhv branding - translation update 1819248 - Cannot upgrade host after engine setup 1819514 - Failed to register 4.4 host to the latest engine (4.4.0-0.29.master.el8ev) 1819960 - NPE on ImportVmTemplateFromConfigurationCommand when creating VM from ovf_data 1820621 - Build apache-commons-compress for RHV 4.4 EL8 1820638 - Build apache-commons-jxpath for RHV 4.4 EL8 1821164 - Failed snapshot creation can cause data corruption of other VMs 1821930 - Enable only TLSv1.2+ protocol for SPICE on EL7 hosts 1824095 - VM portal shows only error 1825793 - RHV branding is missing after upgrade from 4.3 1826248 - [4.4][ovirt-cockpit-sso] Compatibility issues with python3 1826437 - The console client resources page return HTTP code 500 1826801 - [CNV&RHV] update of memory on cnv side does not propagate to rhv 1826855 - [cnv&rhv] update of cpu on cnv side causing expetion in engine.log 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1828669 - After SPM select the engine lost communication to all hosts until restarted [improved logging] 1828736 - [CNV&RHV] cnv template is not propagated to rhv 1829189 - engine-setup httpd ssl configuration conflicts with Red Hat Insights 1829656 - Failed to register 4.3 host to 4.4 engine with 4.3 cluster (4.4.0-0.33.master.el8ev) 1829830 - vhost custom properties does not accept '-' 1832161 - rhv-log-collector-analyzer fails with UnicodeDecodeError on RHEL8 1834523 - Edit VM -> Enable Smartcard sharing does not stick when VM is running 1838493 - Live snapshot made with freeze in the engine will cause the FS to be frozen 1841495 - Upgrade openstack-java-sdk to 3.2.9 1842495 - high cpu usage after entering wrong search pattern in RHVM 1844270 - [vGPU] nodisplay option for mdev broken since mdev scheduling unit 1844855 - Missing images (favicon.ico, banner logo) and missing brand.css file on VM portal d/s installation 1845473 - Exporting an OVA file from a VM results in its ovf file having a format of RAW when the disk is COW 1847420 - CVE-2020-10775 ovirt-engine: Redirect to arbitrary URL allows for phishing 1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution 1853444 - [CodeChange][i18n] oVirt 4.4 rhv branding - translation update (July-2020) 1854563 - [4.4 downstream only][RFE] Include a link to grafana on front page 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: ansible-runner-1.4.5-1.el8ar.src.rpm ansible-runner-service-1.0.2-1.el8ev.src.rpm apache-commons-collections4-4.4-1.el8ev.src.rpm apache-commons-compress-1.18-1.el8ev.src.rpm apache-commons-configuration-1.10-1.el8ev.src.rpm apache-commons-jexl-2.1.1-1.el8ev.src.rpm apache-commons-jxpath-1.3-29.el8ev.src.rpm apache-commons-vfs-2.4.1-1.el8ev.src.rpm apache-sshd-2.5.1-1.el8ev.src.rpm ebay-cors-filter-1.0.1-4.el8ev.src.rpm ed25519-java-0.3.0-1.el8ev.src.rpm engine-db-query-1.6.1-1.el8ev.src.rpm java-client-kubevirt-0.5.0-1.el8ev.src.rpm log4j12-1.2.17-22.el8ev.src.rpm m2crypto-0.35.2-5.el8ev.src.rpm makeself-2.4.0-4.el8ev.src.rpm novnc-1.1.0-1.el8ost.src.rpm openstack-java-sdk-3.2.9-1.el8ev.src.rpm ovirt-cockpit-sso-0.1.4-1.el8ev.src.rpm ovirt-engine-4.4.1.8-0.7.el8ev.src.rpm ovirt-engine-api-explorer-0.0.6-1.el8ev.src.rpm ovirt-engine-dwh-4.4.1.2-1.el8ev.src.rpm ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.src.rpm ovirt-engine-extension-aaa-ldap-1.4.0-1.el8ev.src.rpm ovirt-engine-extension-aaa-misc-1.1.0-1.el8ev.src.rpm ovirt-engine-extension-logger-log4j-1.1.0-1.el8ev.src.rpm ovirt-engine-extensions-api-1.0.1-1.el8ev.src.rpm ovirt-engine-metrics-1.4.1.1-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.2.2-1.el8ev.src.rpm ovirt-fast-forward-upgrade-1.1.6-0.el8ev.src.rpm ovirt-log-collector-4.4.2-1.el8ev.src.rpm ovirt-scheduler-proxy-0.1.9-1.el8ev.src.rpm ovirt-web-ui-1.6.3-1.el8ev.src.rpm python-aniso8601-0.82-4.el8ost.src.rpm python-flask-1.0.2-2.el8ost.src.rpm python-flask-restful-0.3.6-8.el8ost.src.rpm python-netaddr-0.7.19-8.1.el8ost.src.rpm python-notario-0.0.16-2.el8cp.src.rpm python-ovsdbapp-0.17.1-0.20191216120142.206cf14.el8ost.src.rpm python-pbr-5.1.2-2.el8ost.src.rpm python-six-1.12.0-1.el8ost.src.rpm python-websocket-client-0.54.0-1.el8ost.src.rpm python-werkzeug-0.16.0-1.el8ost.src.rpm rhv-log-collector-analyzer-1.0.2-1.el8ev.src.rpm rhvm-branding-rhv-4.4.4-1.el8ev.src.rpm rhvm-dependencies-4.4.0-1.el8ev.src.rpm rhvm-setup-plugins-4.4.2-1.el8ev.src.rpm snmp4j-2.4.1-1.el8ev.src.rpm unboundid-ldapsdk-4.0.14-1.el8ev.src.rpm vdsm-jsonrpc-java-1.5.4-1.el8ev.src.rpm ws-commons-util-1.0.2-1.el8ev.src.rpm xmlrpc-3.1.3-1.el8ev.src.rpm noarch: ansible-runner-1.4.5-1.el8ar.noarch.rpm ansible-runner-service-1.0.2-1.el8ev.noarch.rpm apache-commons-collections4-4.4-1.el8ev.noarch.rpm apache-commons-collections4-javadoc-4.4-1.el8ev.noarch.rpm apache-commons-compress-1.18-1.el8ev.noarch.rpm apache-commons-compress-javadoc-1.18-1.el8ev.noarch.rpm apache-commons-configuration-1.10-1.el8ev.noarch.rpm apache-commons-jexl-2.1.1-1.el8ev.noarch.rpm apache-commons-jexl-javadoc-2.1.1-1.el8ev.noarch.rpm apache-commons-jxpath-1.3-29.el8ev.noarch.rpm apache-commons-jxpath-javadoc-1.3-29.el8ev.noarch.rpm apache-commons-vfs-2.4.1-1.el8ev.noarch.rpm apache-commons-vfs-ant-2.4.1-1.el8ev.noarch.rpm apache-commons-vfs-examples-2.4.1-1.el8ev.noarch.rpm apache-commons-vfs-javadoc-2.4.1-1.el8ev.noarch.rpm apache-sshd-2.5.1-1.el8ev.noarch.rpm apache-sshd-javadoc-2.5.1-1.el8ev.noarch.rpm ebay-cors-filter-1.0.1-4.el8ev.noarch.rpm ed25519-java-0.3.0-1.el8ev.noarch.rpm ed25519-java-javadoc-0.3.0-1.el8ev.noarch.rpm engine-db-query-1.6.1-1.el8ev.noarch.rpm java-client-kubevirt-0.5.0-1.el8ev.noarch.rpm log4j12-1.2.17-22.el8ev.noarch.rpm log4j12-javadoc-1.2.17-22.el8ev.noarch.rpm makeself-2.4.0-4.el8ev.noarch.rpm novnc-1.1.0-1.el8ost.noarch.rpm openstack-java-ceilometer-client-3.2.9-1.el8ev.noarch.rpm openstack-java-ceilometer-model-3.2.9-1.el8ev.noarch.rpm openstack-java-cinder-client-3.2.9-1.el8ev.noarch.rpm openstack-java-cinder-model-3.2.9-1.el8ev.noarch.rpm openstack-java-client-3.2.9-1.el8ev.noarch.rpm openstack-java-glance-client-3.2.9-1.el8ev.noarch.rpm openstack-java-glance-model-3.2.9-1.el8ev.noarch.rpm openstack-java-heat-client-3.2.9-1.el8ev.noarch.rpm openstack-java-heat-model-3.2.9-1.el8ev.noarch.rpm openstack-java-javadoc-3.2.9-1.el8ev.noarch.rpm openstack-java-keystone-client-3.2.9-1.el8ev.noarch.rpm openstack-java-keystone-model-3.2.9-1.el8ev.noarch.rpm openstack-java-nova-client-3.2.9-1.el8ev.noarch.rpm openstack-java-nova-model-3.2.9-1.el8ev.noarch.rpm openstack-java-quantum-client-3.2.9-1.el8ev.noarch.rpm openstack-java-quantum-model-3.2.9-1.el8ev.noarch.rpm openstack-java-resteasy-connector-3.2.9-1.el8ev.noarch.rpm openstack-java-swift-client-3.2.9-1.el8ev.noarch.rpm openstack-java-swift-model-3.2.9-1.el8ev.noarch.rpm ovirt-cockpit-sso-0.1.4-1.el8ev.noarch.rpm ovirt-engine-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-api-explorer-0.0.6-1.el8ev.noarch.rpm ovirt-engine-backend-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-dwh-4.4.1.2-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.1.2-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.1.2-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-1.4.0-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-setup-1.4.0-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-misc-1.1.0-1.el8ev.noarch.rpm ovirt-engine-extension-logger-log4j-1.1.0-1.el8ev.noarch.rpm ovirt-engine-extensions-api-1.0.1-1.el8ev.noarch.rpm ovirt-engine-extensions-api-javadoc-1.0.1-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-metrics-1.4.1.1-1.el8ev.noarch.rpm ovirt-engine-restapi-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-setup-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-tools-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-tools-backup-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.2.2-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.4.1.8-0.7.el8ev.noarch.rpm ovirt-fast-forward-upgrade-1.1.6-0.el8ev.noarch.rpm ovirt-log-collector-4.4.2-1.el8ev.noarch.rpm ovirt-scheduler-proxy-0.1.9-1.el8ev.noarch.rpm ovirt-web-ui-1.6.3-1.el8ev.noarch.rpm python-flask-doc-1.0.2-2.el8ost.noarch.rpm python2-netaddr-0.7.19-8.1.el8ost.noarch.rpm python2-pbr-5.1.2-2.el8ost.noarch.rpm python2-six-1.12.0-1.el8ost.noarch.rpm python3-aniso8601-0.82-4.el8ost.noarch.rpm python3-ansible-runner-1.4.5-1.el8ar.noarch.rpm python3-flask-1.0.2-2.el8ost.noarch.rpm python3-flask-restful-0.3.6-8.el8ost.noarch.rpm python3-netaddr-0.7.19-8.1.el8ost.noarch.rpm python3-notario-0.0.16-2.el8cp.noarch.rpm python3-ovirt-engine-lib-4.4.1.8-0.7.el8ev.noarch.rpm python3-ovsdbapp-0.17.1-0.20191216120142.206cf14.el8ost.noarch.rpm python3-pbr-5.1.2-2.el8ost.noarch.rpm python3-six-1.12.0-1.el8ost.noarch.rpm python3-websocket-client-0.54.0-1.el8ost.noarch.rpm python3-werkzeug-0.16.0-1.el8ost.noarch.rpm python3-werkzeug-doc-0.16.0-1.el8ost.noarch.rpm rhv-log-collector-analyzer-1.0.2-1.el8ev.noarch.rpm rhvm-4.4.1.8-0.7.el8ev.noarch.rpm rhvm-branding-rhv-4.4.4-1.el8ev.noarch.rpm rhvm-dependencies-4.4.0-1.el8ev.noarch.rpm rhvm-setup-plugins-4.4.2-1.el8ev.noarch.rpm snmp4j-2.4.1-1.el8ev.noarch.rpm snmp4j-javadoc-2.4.1-1.el8ev.noarch.rpm unboundid-ldapsdk-4.0.14-1.el8ev.noarch.rpm unboundid-ldapsdk-javadoc-4.0.14-1.el8ev.noarch.rpm vdsm-jsonrpc-java-1.5.4-1.el8ev.noarch.rpm ws-commons-util-1.0.2-1.el8ev.noarch.rpm ws-commons-util-javadoc-1.0.2-1.el8ev.noarch.rpm xmlrpc-client-3.1.3-1.el8ev.noarch.rpm xmlrpc-common-3.1.3-1.el8ev.noarch.rpm xmlrpc-javadoc-3.1.3-1.el8ev.noarch.rpm xmlrpc-server-3.1.3-1.el8ev.noarch.rpm x86_64: m2crypto-debugsource-0.35.2-5.el8ev.x86_64.rpm python3-m2crypto-0.35.2-5.el8ev.x86_64.rpm python3-m2crypto-debuginfo-0.35.2-5.el8ev.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-18635 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/cve/CVE-2019-10086 https://access.redhat.com/security/cve/CVE-2019-13990 https://access.redhat.com/security/cve/CVE-2019-17195 https://access.redhat.com/security/cve/CVE-2019-19336 https://access.redhat.com/security/cve/CVE-2020-7598 https://access.redhat.com/security/cve/CVE-2020-10775 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html-single/technical_notes 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXylir9zjgjWX9erEAQii/A//bJm3u0+ul+LdQwttSJJ79OdVqcp3FktP tdPj8AFbB6F9KkuX9FAQja0/2pgZAldB3Eyz57GYTxyDD1qeMqYSayGHCH01GWAn u8uF90lcSz6YvgEPDh1mWhLYQMfdWT6IUuKOEHldt8TyHbc7dX3xCbsLDzNCxGbl QuPSFPQBJaAXETSw42NGzdUzaM9zoQ0Mngj+Owcgw53YyBy3BSLAb5bKuijvkcLy SVCAxxiQ89E+cnETKYIv4dOfqXGA5wLg68hDmUQyFcXHA9nQbJM9Q0s1fbZ2Wav1 oGGTqJDTgVElxrHB5pYJ6pu484ZgJealkBCrHA2OBsMJUadwitVvQLXFZF5OyN0N f/vtZ1ua4mZADa61qfnlmVRiyISwmPPWIOImA3TIE5Q8Yl5ucCqtDjQPoJAbXsUl Y22Bb5x7JyrN0nyOgwh6BGGK51CmOaP+xNuWD7osI24pnzdmPTZuJrZLePxgPgac WWQNznzvokknva2ofvujAm+DEl+W7W3A8Vs9wkmUWYlaVC7GFLEkcvQjjHahZ7kh dVJNoh70vpA+aJCMQHYK6MGtCSAWoqXkRTsHb3Stfm2vLLz6GYxY5OuvB7Z0ME1N zCiFjBla5+3nKx5ab8Pola56T1wRULHL6zYN9GTsOzxjdJsKHXBVeV8OYcnoHiza 2TrKn2dtZwI= =92Q3 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Description: The org.ovirt.engine-root is a core component of oVirt. The following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1), ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). Bug Fix(es): * Cannot assign direct LUN from FC storage - grayed out (BZ#1625499) * VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217) * RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520) * On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879) * Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206) * Scheduling Memory calculation disregards huge-pages (BZ#1804037) * Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046) * In Admin Portal, "Huge Pages (size: amount)" needs to be clarified (BZ#1806339) * Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051) * Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal (BZ#1843234) * [RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488) * [CNV&RHV] Add-Disk operation failed to complete. (BZ#1855377) * Cannot create KubeVirt VM as a normal user (BZ#1859460) * Welcome page - remove Metrics Store links and update "Insights Guide" link (BZ#1866466) * [RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209) * VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled. (BZ#1871235) * spec_ctrl host feature not detected (BZ#1875609) Enhancement(s): * [RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877) * [RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803) * [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots (BZ#1763812) * [RFE] enhance search filter for Storage Domains with free argument (BZ#1819260) 4. Bugs fixed (https://bugzilla.redhat.com/): 1625499 - Cannot assign direct LUN from FC storage - grayed out 1638217 - VM portal always asks how to open console.vv even it has been set to default application. 1643520 - RESTAPI Not able to remove the QoS from a disk profile 1674420 - [RFE] - add support for Cascadelake-Server CPUs (and IvyBridge) 1748879 - On OVA import, qemu-img fails to write to NFS storage domain 1749803 - [RFE] Improve workflow for storage migration of VMs with multiple disks 1758024 - Long running Ansible tasks timeout and abort for RHV-H hosts with STIG/Security Profiles applied 1763812 - [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots 1778471 - Using more than one asterisk in LDAP search string is not working when searching for AD users. 1787854 - RHV: Updating/reinstall a host which is part of affinity labels is removed from the affinity label. 1801206 - Possible missing block path for a SCSI host device needs to be handled in the UI 1803856 - [Scale] ovirt-vmconsole takes too long or times out in a 500+ VM environment. 1804037 - Scheduling Memory calculation disregards huge-pages 1804046 - Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. 1806339 - In Admin Portal, "Huge Pages (size: amount)" needs to be clarified 1816951 - [CNV&RHV] CNV VM migration failure is not handled correctly by the engine 1819260 - [RFE] enhance search filter for Storage Domains with free argument 1826255 - [CNV&RHV]Change name of type of provider - CNV -> OpenShift Virtualization 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1831949 - RESTAPI javadoc contains missing information about assigning IP address to NIC 1831952 - RESTAPI contains malformed link around JSON representation fo the cluster 1831954 - RESTAPI javadoc contains malformed link around oVirt guest agent 1831956 - RESTAPI javadoc contains malformed link around time zone representation 1838051 - Refresh LUN is using host from different Data Center to scan the LUN 1841112 - not able to upload vm from OVA when there are 2 OVA from the same vm in same directory 1843234 - Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal 1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution 1854488 - [RHV-CNV] - NPE when creating new VM in cnv cluster 1855377 - [CNV&RHV] Add-Disk operation failed to complete. 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function 1858184 - CVE-2020-14333 ovirt-engine: Reflected cross site scripting vulnerability 1859460 - Cannot create KubeVirt VM as a normal user 1860907 - Upgrade bundled GWT to 2.9.0 1866466 - Welcome page - remove Metrics Store links and update "Insights Guide" link 1866734 - [DWH] Rebase bug - for the 4.4.2 release 1869209 - [RHV 4.4] Change in CPU model name after RHVH upgrade 1869302 - ansible 2.9.12 - host deploy fixes 1871235 - VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled. 1875609 - spec_ctrl host feature not detected 1875851 - Web Admin interface broken on Firefox ESR 68.11 6. Description: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Bugs fixed (https://bugzilla.redhat.com/): 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 2031904 - CVE-2022-1438 keycloak: XSS on impersonation under specific circumstances 2066009 - CVE-2021-44906 minimist: prototype pollution 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073157 - CVE-2022-1274 keycloak: HTML injection in execute-actions-email Admin REST API 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2117506 - CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections 2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode 2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject 2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow 2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding 2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service 2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability 2148496 - CVE-2022-4137 keycloak: reflected XSS attack 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration 2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability 2155970 - CVE-2022-45693 jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos 2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method 2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service 2158585 - CVE-2023-0091 keycloak: Client Registration endpoint does not check token revocation 2160585 - CVE-2023-0264 keycloak: user impersonation via stolen uuid code 6

Trust: 2.25

sources: NVD: CVE-2020-11022 // JVNDB: JVNDB-2020-004854 // VULHUB: VHN-163559 // PACKETSTORM: 160274 // PACKETSTORM: 158555 // PACKETSTORM: 158750 // PACKETSTORM: 157905 // PACKETSTORM: 159275 // PACKETSTORM: 171214

AFFECTED PRODUCTS

vendor:oraclemodel:communications webrtc session controllerscope:eqversion:7.2

Trust: 1.0

vendor:oraclemodel:banking digital experiencescope:eqversion:18.2

Trust: 1.0

vendor:oraclemodel:banking digital experiencescope:lteversion:20.1

Trust: 1.0

vendor:oraclemodel:healthcare foundationscope:eqversion:7.1.1

Trust: 1.0

vendor:oraclemodel:financial services data governance for us regulatory reportingscope:lteversion:8.0.9

Trust: 1.0

vendor:oraclemodel:healthcare foundationscope:eqversion:7.3.0

Trust: 1.0

vendor:oraclemodel:communications services gatekeeperscope:eqversion:7.0

Trust: 1.0

vendor:oraclemodel:communications eagle application processorscope:gteversion:16.1.0

Trust: 1.0

vendor:oraclemodel:financial services hedge management and ifrs valuationsscope:lteversion:8.0.8

Trust: 1.0

vendor:oraclemodel:jdeveloperscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:insurance data foundationscope:eqversion:8.0.6-8.1.0

Trust: 1.0

vendor:oraclemodel:financial services hedge management and ifrs valuationsscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:banking digital experiencescope:eqversion:18.3

Trust: 1.0

vendor:oraclemodel:financial services analytical applications reconciliation frameworkscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:financial services liquidity risk measurement and managementscope:eqversion:8.0.8

Trust: 1.0

vendor:oraclemodel:financial services regulatory reporting for european banking authorityscope:lteversion:8.1.0

Trust: 1.0

vendor:drupalmodel:drupalscope:ltversion:8.8.6

Trust: 1.0

vendor:oraclemodel:financial services data integration hubscope:eqversion:8.0.6

Trust: 1.0

vendor:oraclemodel:retail back officescope:eqversion:14.1

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:31

Trust: 1.0

vendor:netappmodel:h300escope:eqversion: -

Trust: 1.0

vendor:oraclemodel:hospitality simphonyscope:eqversion:19.1.0-19.1.2

Trust: 1.0

vendor:oraclemodel:financial services asset liability managementscope:eqversion:8.0.7

Trust: 1.0

vendor:oraclemodel:financial services profitability managementscope:eqversion:8.0.6

Trust: 1.0

vendor:oraclemodel:financial services regulatory reporting for us federal reservescope:lteversion:8.0.9

Trust: 1.0

vendor:oraclemodel:financial services market risk measurement and managementscope:eqversion:8.0.6

Trust: 1.0

vendor:oraclemodel:financial services analytical applications infrastructurescope:gteversion:8.0.6.0.0

Trust: 1.0

vendor:oraclemodel:financial services regulatory reporting for european banking authorityscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:hospitality simphonyscope:gteversion:19.1.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:14.1.1.0.0

Trust: 1.0

vendor:oraclemodel:financial services basel regulatory capital internal ratings based approachscope:lteversion:8.0.8

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.56

Trust: 1.0

vendor:drupalmodel:drupalscope:gteversion:8.8.0

Trust: 1.0

vendor:oraclemodel:storagetek acslsscope:eqversion:8.5.1

Trust: 1.0

vendor:netappmodel:oncommand insightscope:eqversion: -

Trust: 1.0

vendor:netappmodel:snapcenterscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:siebel ui frameworkscope:eqversion:20.8

Trust: 1.0

vendor:oraclemodel:financial services loan loss forecasting and provisioningscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:financial services liquidity risk managementscope:eqversion:8.0.6

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.4.0.0

Trust: 1.0

vendor:oraclemodel:banking digital experiencescope:eqversion:20.1

Trust: 1.0

vendor:oraclemodel:financial services regulatory reporting for us federal reservescope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:retail returns managementscope:eqversion:14.1

Trust: 1.0

vendor:oraclemodel:financial services funds transfer pricingscope:eqversion:8.0.6

Trust: 1.0

vendor:netappmodel:oncommand system managerscope:lteversion:3.1.3

Trust: 1.0

vendor:jquerymodel:jqueryscope:ltversion:3.5.0

Trust: 1.0

vendor:oraclemodel:financial services analytical applications reconciliation frameworkscope:lteversion:8.0.8

Trust: 1.0

vendor:netappmodel:h300sscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:jdeveloperscope:eqversion:11.1.1.9.0

Trust: 1.0

vendor:oraclemodel:insurance insbridge rating and underwritingscope:eqversion:5.6.1.0

Trust: 1.0

vendor:drupalmodel:drupalscope:gteversion:7.0

Trust: 1.0

vendor:jquerymodel:jqueryscope:gteversion:1.2

Trust: 1.0

vendor:oraclemodel:financial services analytical applications reconciliation frameworkscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:12.1.3.0.0

Trust: 1.0

vendor:oraclemodel:hospitality simphonyscope:eqversion:18.2

Trust: 1.0

vendor:oraclemodel:financial services institutional performance analyticsscope:eqversion:8.0.6

Trust: 1.0

vendor:oraclemodel:communications diameter signaling router idih\:scope:gteversion:8.0.0

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.58

Trust: 1.0

vendor:oraclemodel:financial services data foundationscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:financial services data integration hubscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:policy automationscope:gteversion:12.2.0

Trust: 1.0

vendor:oraclemodel:insurance insbridge rating and underwritingscope:lteversion:5.6.0.0

Trust: 1.0

vendor:tenablemodel:log correlation enginescope:ltversion:6.0.9

Trust: 1.0

vendor:oraclemodel:agile product supplier collaboration for processscope:eqversion:6.2.0.0

Trust: 1.0

vendor:oraclemodel:financial services basel regulatory capital basicscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:financial services data foundationscope:lteversion:8.1.0

Trust: 1.0

vendor:oraclemodel:financial services profitability managementscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:financial services analytical applications infrastructurescope:lteversion:8.1.0

Trust: 1.0

vendor:oraclemodel:insurance accounting analyzerscope:eqversion:8.0.9

Trust: 1.0

vendor:oraclemodel:insurance allocation manager for enterprise profitabilityscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:financial services liquidity risk measurement and managementscope:eqversion:8.0.7

Trust: 1.0

vendor:oraclemodel:financial services data integration hubscope:eqversion:8.0.7

Trust: 1.0

vendor:oraclemodel:financial services basel regulatory capital internal ratings based approachscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:banking digital experiencescope:eqversion:18.1

Trust: 1.0

vendor:oraclemodel:application testing suitescope:eqversion:13.3.0.1

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:oraclemodel:communications diameter signaling router idih\:scope:lteversion:8.2.2

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:oraclemodel:financial services funds transfer pricingscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:financial services loan loss forecasting and provisioningscope:lteversion:8.0.8

Trust: 1.0

vendor:oraclemodel:financial services price creation and discoveryscope:eqversion:8.0.7

Trust: 1.0

vendor:netappmodel:h500escope:eqversion: -

Trust: 1.0

vendor:oraclemodel:communications billing and revenue managementscope:eqversion:7.5.0.23.0

Trust: 1.0

vendor:oraclemodel:healthcare foundationscope:eqversion:7.2.1

Trust: 1.0

vendor:netappmodel:h500sscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:communications eagle application processorscope:lteversion:16.4.0

Trust: 1.0

vendor:oraclemodel:financial services institutional performance analyticsscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:retail customer management and segmentation foundationscope:eqversion:19.0

Trust: 1.0

vendor:oraclemodel:financial services funds transfer pricingscope:eqversion:8.0.7

Trust: 1.0

vendor:oraclemodel:financial services analytical applications infrastructurescope:lteversion:8.1.0.0.0

Trust: 1.0

vendor:oraclemodel:financial services asset liability managementscope:eqversion:8.1.0

Trust: 1.0

vendor:drupalmodel:drupalscope:ltversion:8.7.14

Trust: 1.0

vendor:oraclemodel:financial services market risk measurement and managementscope:eqversion:8.0.8

Trust: 1.0

vendor:oraclemodel:communications application session controllerscope:eqversion:3.8m0

Trust: 1.0

vendor:oraclemodel:blockchain platformscope:ltversion:21.1.2

Trust: 1.0

vendor:drupalmodel:drupalscope:gteversion:8.7.0

Trust: 1.0

vendor:oraclemodel:financial services basel regulatory capital basicscope:lteversion:8.0.8

Trust: 1.0

vendor:oraclemodel:financial services basel regulatory capital internal ratings based approachscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:financial services data governance for us regulatory reportingscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:financial services institutional performance analyticsscope:eqversion:8.0.7

Trust: 1.0

vendor:oraclemodel:insurance allocation manager for enterprise profitabilityscope:eqversion:8.0.8

Trust: 1.0

vendor:oraclemodel:policy automation for mobile devicesscope:lteversion:12.2.20

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:15.2

Trust: 1.0

vendor:oraclemodel:financial services basel regulatory capital basicscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:communications billing and revenue managementscope:eqversion:12.0.0.3.0

Trust: 1.0

vendor:oraclemodel:banking digital experiencescope:eqversion:19.2

Trust: 1.0

vendor:oraclemodel:enterprise session border controllerscope:eqversion:8.4

Trust: 1.0

vendor:oraclemodel:financial services price creation and discoveryscope:eqversion:8.0.6

Trust: 1.0

vendor:oraclemodel:policy automation for mobile devicesscope:gteversion:12.2.0

Trust: 1.0

vendor:netappmodel:h700escope:eqversion: -

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:15.1

Trust: 1.0

vendor:netappmodel:h410cscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:retail back officescope:eqversion:14.0

Trust: 1.0

vendor:oraclemodel:agile product lifecycle management for processscope:eqversion:6.2.0.0

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.57

Trust: 1.0

vendor:netappmodel:h410sscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:financial services hedge management and ifrs valuationsscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:hospitality simphonyscope:eqversion:18.1

Trust: 1.0

vendor:netappmodel:h700sscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:hospitality simphonyscope:lteversion:19.1.2

Trust: 1.0

vendor:oraclemodel:policy automation connector for siebelscope:eqversion:10.4.6

Trust: 1.0

vendor:netappmodel:snap creator frameworkscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:financial services asset liability managementscope:eqversion:8.0.6

Trust: 1.0

vendor:netappmodel:max datascope:eqversion: -

Trust: 1.0

vendor:oraclemodel:jdeveloperscope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:oraclemodel:healthcare foundationscope:eqversion:7.2.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:oraclemodel:retail returns managementscope:eqversion:14.0

Trust: 1.0

vendor:oraclemodel:financial services balance sheet planningscope:eqversion:8.0.8

Trust: 1.0

vendor:oraclemodel:policy automationscope:lteversion:12.2.20

Trust: 1.0

vendor:oraclemodel:insurance data foundationscope:lteversion:8.1.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:oraclemodel:financial services liquidity risk measurement and managementscope:eqversion:8.1.0

Trust: 1.0

vendor:oraclemodel:insurance insbridge rating and underwritingscope:gteversion:5.0.0.0

Trust: 1.0

vendor:oraclemodel:financial services analytical applications infrastructurescope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:banking digital experiencescope:eqversion:19.1

Trust: 1.0

vendor:netappmodel:oncommand system managerscope:gteversion:3.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:10.3.6.0.0

Trust: 1.0

vendor:oraclemodel:banking digital experiencescope:gteversion:18.1

Trust: 1.0

vendor:oraclemodel:insurance data foundationscope:gteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:hospitality materials controlscope:eqversion:18.1

Trust: 1.0

vendor:oraclemodel:financial services profitability managementscope:eqversion:8.0.7

Trust: 1.0

vendor:drupalmodel:drupalscope:ltversion:7.70

Trust: 1.0

vendor:oraclemodel:financial services loan loss forecasting and provisioningscope:eqversion:8.1.0

Trust: 1.0

vendor:jquerymodel:jqueryscope: - version: -

Trust: 0.8

vendor:日立model:hitachi ops center common servicesscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-004854 // NVD: CVE-2020-11022

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-11022
value: MEDIUM

Trust: 1.0

security-advisories@github.com: CVE-2020-11022
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-11022
value: MEDIUM

Trust: 0.8

VULHUB: VHN-163559
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-11022
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-163559
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-11022
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2020-11022
baseSeverity: MEDIUM
baseScore: 6.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.6
impactScore: 4.7
version: 3.1

Trust: 1.0

NVD: CVE-2020-11022
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-163559 // JVNDB: JVNDB-2020-004854 // NVD: CVE-2020-11022 // NVD: CVE-2020-11022

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-163559 // JVNDB: JVNDB-2020-004854 // NVD: CVE-2020-11022

TYPE

code execution, xss

Trust: 0.3

sources: PACKETSTORM: 160274 // PACKETSTORM: 158750 // PACKETSTORM: 171214

PATCH

title:hitachi-sec-2020-130url:https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77

Trust: 0.8

sources: JVNDB: JVNDB-2020-004854

EXTERNAL IDS

db:NVDid:CVE-2020-11022

Trust: 3.3

db:PACKETSTORMid:162159

Trust: 1.1

db:TENABLEid:TNS-2021-02

Trust: 1.1

db:TENABLEid:TNS-2020-10

Trust: 1.1

db:TENABLEid:TNS-2020-11

Trust: 1.1

db:TENABLEid:TNS-2021-10

Trust: 1.1

db:ICS CERTid:ICSA-22-055-02

Trust: 0.8

db:ICS CERTid:ICSA-22-342-02

Trust: 0.8

db:ICS CERTid:ICSA-22-097-01

Trust: 0.8

db:CERT@VDEid:VDE-2021-027

Trust: 0.8

db:JVNid:JVNVU94912830

Trust: 0.8

db:JVNid:JVNVU94847990

Trust: 0.8

db:JVNid:JVNVU99843134

Trust: 0.8

db:JVNDBid:JVNDB-2020-004854

Trust: 0.8

db:PACKETSTORMid:171214

Trust: 0.2

db:PACKETSTORMid:160274

Trust: 0.2

db:PACKETSTORMid:159275

Trust: 0.2

db:PACKETSTORMid:158750

Trust: 0.2

db:PACKETSTORMid:158555

Trust: 0.2

db:PACKETSTORMid:171213

Trust: 0.1

db:PACKETSTORMid:170823

Trust: 0.1

db:PACKETSTORMid:171212

Trust: 0.1

db:PACKETSTORMid:171215

Trust: 0.1

db:PACKETSTORMid:159852

Trust: 0.1

db:PACKETSTORMid:170821

Trust: 0.1

db:PACKETSTORMid:159876

Trust: 0.1

db:PACKETSTORMid:159353

Trust: 0.1

db:PACKETSTORMid:161727

Trust: 0.1

db:PACKETSTORMid:170819

Trust: 0.1

db:PACKETSTORMid:168304

Trust: 0.1

db:PACKETSTORMid:170817

Trust: 0.1

db:PACKETSTORMid:159513

Trust: 0.1

db:PACKETSTORMid:157850

Trust: 0.1

db:CNNVDid:CNNVD-202004-2429

Trust: 0.1

db:VULHUBid:VHN-163559

Trust: 0.1

db:PACKETSTORMid:157905

Trust: 0.1

sources: VULHUB: VHN-163559 // JVNDB: JVNDB-2020-004854 // PACKETSTORM: 160274 // PACKETSTORM: 158555 // PACKETSTORM: 158750 // PACKETSTORM: 157905 // PACKETSTORM: 159275 // PACKETSTORM: 171214 // NVD: CVE-2020-11022

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2020-11022

Trust: 1.4

url:https://security.gentoo.org/glsa/202007-03

Trust: 1.2

url:https://github.com/jquery/jquery/security/advisories/ghsa-gxr4-xjj5-5px2

Trust: 1.1

url:https://security.netapp.com/advisory/ntap-20200511-0006/

Trust: 1.1

url:https://www.drupal.org/sa-core-2020-002

Trust: 1.1

url:https://www.tenable.com/security/tns-2020-10

Trust: 1.1

url:https://www.tenable.com/security/tns-2020-11

Trust: 1.1

url:https://www.tenable.com/security/tns-2021-02

Trust: 1.1

url:https://www.tenable.com/security/tns-2021-10

Trust: 1.1

url:https://www.debian.org/security/2020/dsa-4693

Trust: 1.1

url:http://packetstormsecurity.com/files/162159/jquery-1.2-cross-site-scripting.html

Trust: 1.1

url:https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Trust: 1.1

url:https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77

Trust: 1.1

url:https://jquery.com/upgrade-guide/3.5/

Trust: 1.1

url:https://www.oracle.com//security-alerts/cpujul2021.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuapr2021.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuapr2022.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpujan2021.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpujan2022.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpujul2020.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpujul2022.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuoct2020.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuoct2021.html

Trust: 1.1

url:https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html

Trust: 1.1

url:http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

Trust: 1.1

url:http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html

Trust: 1.1

url:http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html

Trust: 1.1

url:https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3cdev.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133%40%3ccommits.airflow.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3cissues.flink.apache.org%3e

Trust: 1.0

url:https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/avkyxlwclzbv2n7m46kyk4lva5oxwpby/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/qpn2l2xvqgua2v5hnqjwhk3apsk3vn7k/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/sapqvx3xdnpgft26qaq6ajixzzbz4cd4/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/sfp4uk4egp4afh2mwyj5a5z4i7xvfq6b/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/voe7p7apprqkd4fgnhbkjpdy6ffcoh3w/

Trust: 1.0

url:https://jvn.jp/vu/jvnvu94912830/

Trust: 0.8

url:http://jvn.jp/vu/jvnvu94847990/index.html

Trust: 0.8

url:https://jvn.jp/vu/jvnvu99843134/index.html

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-055-02

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-097-01

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-342-02

Trust: 0.8

url:https://cert.vde.com/en/advisories/vde-2021-027/

Trust: 0.8

url:https://access.redhat.com/security/team/contact/

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2020-11023

Trust: 0.5

url:https://bugzilla.redhat.com/):

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-11022

Trust: 0.5

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-11023

Trust: 0.4

url:https://access.redhat.com/security/team/key/

Trust: 0.4

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-7598

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.2

url:https://access.redhat.com/articles/2974891

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-7598

Trust: 0.2

url:https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/avkyxlwclzbv2n7m46kyk4lva5oxwpby/

Trust: 0.1

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/voe7p7apprqkd4fgnhbkjpdy6ffcoh3w/

Trust: 0.1

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/qpn2l2xvqgua2v5hnqjwhk3apsk3vn7k/

Trust: 0.1

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/sfp4uk4egp4afh2mwyj5a5z4i7xvfq6b/

Trust: 0.1

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/sapqvx3xdnpgft26qaq6ajixzzbz4cd4/

Trust: 0.1

url:https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3ccommits.airflow.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3cdev.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3cissues.flink.apache.org%3e

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:5249

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-7676

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-7743

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-18874

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-7720

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-7676

Trust: 0.1

url:https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-7720

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-7743

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-18874

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14295>

Trust: 0.1

url:https://security.gentoo.org/>

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-11022>

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-11023>

Trust: 0.1

url:https://security.gentoo.org/glsa/202007-03>

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5>

Trust: 0.1

url:https://bugs.gentoo.org

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14295

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org/>.

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-13990

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8331

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-10775

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-17195

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html-single/technical_notes

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2017-18635

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:3247

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-10086

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-10086

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-19336

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-13990

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-17195

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2017-18635

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-10775

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8331

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-19336

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:2362

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-10744

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-12459

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-12459

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-10744

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-8203

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-8203

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:3807

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14333

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-14333

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-38750

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-14042

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1471

Trust: 0.1

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-14040

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1438

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-3916

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-40150

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-31129

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:1045

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-40149

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25857

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-46175

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-35065

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-45047

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-46364

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-44906

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-44906

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-0091

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24785

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-3782

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-42004

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-2764

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2764

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-4137

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-46363

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1471

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-0264

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-38751

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1274

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-37603

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-45693

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-38749

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-31129

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-35065

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-42003

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1438

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-25857

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-14042

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-24785

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-14040

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11358

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11358

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1274

Trust: 0.1

sources: VULHUB: VHN-163559 // JVNDB: JVNDB-2020-004854 // PACKETSTORM: 160274 // PACKETSTORM: 158555 // PACKETSTORM: 158750 // PACKETSTORM: 157905 // PACKETSTORM: 159275 // PACKETSTORM: 171214 // NVD: CVE-2020-11022

CREDITS

Red Hat

Trust: 0.5

sources: PACKETSTORM: 160274 // PACKETSTORM: 158750 // PACKETSTORM: 157905 // PACKETSTORM: 159275 // PACKETSTORM: 171214

SOURCES

db:VULHUBid:VHN-163559
db:JVNDBid:JVNDB-2020-004854
db:PACKETSTORMid:160274
db:PACKETSTORMid:158555
db:PACKETSTORMid:158750
db:PACKETSTORMid:157905
db:PACKETSTORMid:159275
db:PACKETSTORMid:171214
db:NVDid:CVE-2020-11022

LAST UPDATE DATE

2024-11-20T20:28:55.553000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-163559date:2022-07-25T00:00:00
db:JVNDBid:JVNDB-2020-004854date:2023-03-22T05:10:00
db:NVDid:CVE-2020-11022date:2023-11-07T03:14:27.330

SOURCES RELEASE DATE

db:VULHUBid:VHN-163559date:2020-04-29T00:00:00
db:JVNDBid:JVNDB-2020-004854date:2020-05-29T00:00:00
db:PACKETSTORMid:160274date:2020-11-30T15:51:22
db:PACKETSTORMid:158555date:2020-07-27T17:38:33
db:PACKETSTORMid:158750date:2020-08-04T14:26:33
db:PACKETSTORMid:157905date:2020-06-02T22:47:18
db:PACKETSTORMid:159275date:2020-09-24T00:30:36
db:PACKETSTORMid:171214date:2023-03-02T15:19:36
db:NVDid:CVE-2020-11022date:2020-04-29T22:15:11.903