ID

VAR-202012-1279


CVE

CVE-2020-8286


TITLE

curl  Vulnerability in Certificate Verification

Trust: 0.8

sources: JVNDB: JVNDB-2020-014405

DESCRIPTION

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. curl Contains a certificate validation vulnerability.Information may be tampered with. HAXX libcurl is an open source client-side URL transfer library developed by Haxx (HAXX) in Sweden. The product supports protocols such as FTP, SFTP, TFTP and HTTP. A security vulnerability exists in libcurl that could be exploited by an attacker to read or write data in a session by acting as a man-in-the-middle through low-level OCSP authentication on libcurl. Bugs fixed (https://bugzilla.redhat.com/): 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1945703 - "Guest OS Info" availability in VMI describe is flaky 1958816 - [2.6.z] KubeMacPool fails to start due to OOM likely caused by a high number of Pods running in the cluster 1963275 - migration controller null pointer dereference 1965099 - Live Migration double handoff to virt-handler causes connection failures 1965181 - CDI importer doesn't report AwaitingVDDK like it used to 1967086 - Cloning DataVolumes between namespaces fails while creating cdi-upload pod 1967887 - [2.6.6] nmstate is not progressing on a node and not configuring vlan filtering that causes an outage for VMs 1969756 - Windows VMs fail to start on air-gapped environments 1970372 - Virt-handler fails to verify container-disk 1973227 - segfault in virt-controller during pdb deletion 1974084 - 2.6.6 containers 1975212 - No Virtual Machine Templates Found [EDIT - all templates are marked as depracted] 1975727 - [Regression][VMIO][Warm] The third precopy does not end in warm migration 1977756 - [2.6.z] PVC keeps in pending when using hostpath-provisioner 1982760 - [v2v] no kind VirtualMachine is registered for version \"kubevirt.io/v1\" i... 1986989 - OpenShift Virtualization 2.6.z cannot be upgraded to 4.8.0 initially deployed starting with <= 4.8 5. Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1328 - Port fix to 5.0.z for BZ-1945168 6. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release. Security Fix(es): * curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901) * httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618) * libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169) * curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284) * curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285) * curl: Inferior OCSP verification (CVE-2020-8286) * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876) * curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. Bugs fixed (https://bugzilla.redhat.com/): 1847916 - CVE-2020-8169 libcurl: partial password leak over DNS on HTTP redirect 1902667 - CVE-2020-8284 curl: FTP PASV command response can cause curl to connect to arbitrary host 1902687 - CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used 1906096 - CVE-2020-8286 curl: Inferior OCSP verification 1941964 - CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer 1941965 - CVE-2021-22890 curl: TLS 1.3 session ticket mix-up with HTTPS proxy host 1963146 - CVE-2021-22901 curl: Use-after-free in TLS session handling when using OpenSSL TLS backend 1968013 - CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Container Storage 4.6.5 security and bug fix update Advisory ID: RHSA-2021:2479-01 Product: Red Hat OpenShift Container Storage Advisory URL: https://access.redhat.com/errata/RHSA-2021:2479 Issue date: 2021-06-17 CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708 CVE-2019-3842 CVE-2019-9169 CVE-2019-13012 CVE-2019-14866 CVE-2019-25013 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8927 CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2020-13434 CVE-2020-13543 CVE-2020-13584 CVE-2020-13776 CVE-2020-15358 CVE-2020-24977 CVE-2020-25659 CVE-2020-25678 CVE-2020-26116 CVE-2020-26137 CVE-2020-27618 CVE-2020-27619 CVE-2020-27783 CVE-2020-28196 CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 CVE-2020-36242 CVE-2021-3139 CVE-2021-3177 CVE-2021-3326 CVE-2021-3449 CVE-2021-3450 CVE-2021-3528 CVE-2021-20305 CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 ==================================================================== 1. Summary: Updated images that fix one security issue and several bugs are now available for Red Hat OpenShift Container Storage 4.6.5 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * NooBaa: noobaa-operator leaking RPC AuthToken into log files (CVE-2021-3528) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Currently, a newly restored PVC cannot be mounted if some of the OpenShift Container Platform nodes are running on a version of Red Hat Enterprise Linux which is less than 8.2, and the snapshot from which the PVC was restored is deleted. Workaround: Do not delete the snapshot from which the PVC was restored until the restored PVC is deleted. (BZ#1962483) * Previously, the default backingstore was not created on AWS S3 when OpenShift Container Storage was deployed, due to incorrect identification of AWS S3. With this update, the default backingstore gets created when OpenShift Container Storage is deployed on AWS S3. (BZ#1927307) * Previously, log messages were printed to the endpoint pod log even if the debug option was not set. With this update, the log messages are printed to the endpoint pod log only when the debug option is set. (BZ#1938106) * Previously, the PVCs could not be provisioned as the `rook-ceph-mds` did not register the pod IP on the monitor servers, and hence every mount on the filesystem timed out, resulting in CephFS volume provisioning failure. With this update, an argument `--public-addr=podIP` is added to the MDS pod when the host network is not enabled, and hence the CephFS volume provisioning does not fail. (BZ#1949558) * Previously, OpenShift Container Storage 4.2 clusters were not updated with the correct cache value, and hence MDSs in standby-replay might report an oversized cache, as rook did not apply the `mds_cache_memory_limit` argument during upgrades. With this update, the `mds_cache_memory_limit` argument is applied during upgrades and the mds daemon operates normally. (BZ#1951348) * Previously, the coredumps were not generated in the correct location as rook was setting the config option `log_file` to an empty string since logging happened on stdout and not on the files, and hence Ceph read the value of the `log_file` to build the dump path. With this update, rook does not set the `log_file` and keeps Ceph's internal default, and hence the coredumps are generated in the correct location and are accessible under `/var/log/ceph/`. (BZ#1938049) * Previously, Ceph became inaccessible, as the mons lose quorum if a mon pod was drained while another mon was failing over. With this update, voluntary mon drains are prevented while a mon is failing over, and hence Ceph does not become inaccessible. (BZ#1946573) * Previously, the mon quorum was at risk, as the operator could erroneously remove the new mon if the operator was restarted during a mon failover. With this update, the operator completes the same mon failover after the operator is restarted, and hence the mon quorum is more reliable in the node drains and mon failover scenarios. (BZ#1959983) All users of Red Hat OpenShift Container Storage are advised to pull these new images from the Red Hat Container Registry. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1938106 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod 1950915 - XSS Vulnerability with Noobaa version 5.5.0-3bacc6b 1951348 - [GSS][CephFS] health warning "MDS cache is too large (3GB/1GB); 0 inodes in use by clients, 0 stray files" for the standby-replay 1951600 - [4.6.z][Clone of BZ #1936545] setuid and setgid file bits are not retained after a OCS CephFS CSI restore 1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files 1957189 - [Rebase] Use RHCS4.2z1 container image with OCS 4..6.5[may require doc update for external mode min supported RHCS version] 1959980 - When a node is being drained, increase the mon failover timeout to prevent unnecessary mon failover 1959983 - [GSS][mon] rook-operator scales mons to 4 after healthCheck timeout 1962483 - [RHEL7][RBD][4.6.z clone] FailedMount error when using restored PVC on app pod 5. References: https://access.redhat.com/security/cve/CVE-2016-10228 https://access.redhat.com/security/cve/CVE-2017-14502 https://access.redhat.com/security/cve/CVE-2019-2708 https://access.redhat.com/security/cve/CVE-2019-3842 https://access.redhat.com/security/cve/CVE-2019-9169 https://access.redhat.com/security/cve/CVE-2019-13012 https://access.redhat.com/security/cve/CVE-2019-14866 https://access.redhat.com/security/cve/CVE-2019-25013 https://access.redhat.com/security/cve/CVE-2020-8231 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/cve/CVE-2020-8927 https://access.redhat.com/security/cve/CVE-2020-9948 https://access.redhat.com/security/cve/CVE-2020-9951 https://access.redhat.com/security/cve/CVE-2020-9983 https://access.redhat.com/security/cve/CVE-2020-13434 https://access.redhat.com/security/cve/CVE-2020-13543 https://access.redhat.com/security/cve/CVE-2020-13584 https://access.redhat.com/security/cve/CVE-2020-13776 https://access.redhat.com/security/cve/CVE-2020-15358 https://access.redhat.com/security/cve/CVE-2020-24977 https://access.redhat.com/security/cve/CVE-2020-25659 https://access.redhat.com/security/cve/CVE-2020-25678 https://access.redhat.com/security/cve/CVE-2020-26116 https://access.redhat.com/security/cve/CVE-2020-26137 https://access.redhat.com/security/cve/CVE-2020-27618 https://access.redhat.com/security/cve/CVE-2020-27619 https://access.redhat.com/security/cve/CVE-2020-27783 https://access.redhat.com/security/cve/CVE-2020-28196 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2020-36242 https://access.redhat.com/security/cve/CVE-2021-3139 https://access.redhat.com/security/cve/CVE-2021-3177 https://access.redhat.com/security/cve/CVE-2021-3326 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-3528 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/cve/CVE-2021-23239 https://access.redhat.com/security/cve/CVE-2021-23240 https://access.redhat.com/security/cve/CVE-2021-23336 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMtu/9zjgjWX9erEAQh6fhAAm9UPxF0e8ubzCEae+bkQAduwCkzpQ0ND Q1/UcDAAc4ueEhBrwXPhOLrgfBj+VG+QA19YZcNPzbW7I48RGjCm5WccnUyEbFAo FKTspCZW7FkXKBU15u58c/sFCGa4/Yuu+IpqCMuZ6lR2g9WHIBKdVtaB4y59AyfS v59cAorqZ3AoTX4lVys6HfDGySQWlg5P8t6ST72cUJjESi6U0HV00P7ECU2SFxCF HXA4gbXbZ1EPb/1+UkRRnXemJuT8SaRFRTrzj9woTrVAGQFvn+yjxLbZxVZb0WDd 6QeNpiJNICfL+/ExvEmGQucf7NcekYPWud11pnRUfQ+Uqsj+I7YoaepXAAolLzvN kAVVpFNsWADOVz7BrfSKoo4b38UCFOEUSd2d1ijCNE96Q9XyNUpn+kZqz0/wpBQC L+E5N9kEuaLyDBoI0wJAfoqU1NY4Cvl6lIMDgHUv2CE10zxhFwHCDulAfcQgxNQG sIbpSgSegq9HfZSDxa6Rtrox1I7oGhnBy10sIwUUH1+fxAusUk+Xrxf8hUv8KgDz V144yrGwN/6KVxh74A60bJX3ai12l6fC8bkmsxg5K1r/Dk4tUkQeXNdBbaK/rEKO AQs7YDab/0VA2qKtXDRkbnzqBRSbamDNOO/jd28nGMoclaIRHCzQgJRFv6Qb6dwT RCrstqAM5QQ=DHD0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2021:2122 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html This update fixes the following bug among others: * Previously, resources for the ClusterOperator were being created early in the update process, which led to update failures when the ClusterOperator had no status condition while Operators were updating. This bug fix changes the timing of when these resources are created. As a result, updates can take place without errors. (BZ#1959238) Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-x86_64 The image digest is sha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-s390x The image digest is sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le The image digest is sha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36 All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor 3. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923268 - [Assisted-4.7] [Staging] Using two both spelling "canceled" "cancelled" 1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go 1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list 1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits 1959238 - CVO creating cloud-controller-manager too early causing upgrade failures 1960103 - SR-IOV obliviously reboot the node 1961941 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated 1962302 - packageserver clusteroperator does not set reason or message for Available condition 1962312 - Deployment considered unhealthy despite being available and at latest generation 1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone 1963115 - Test verify /run filesystem contents failing 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-04-26-4 Security Update 2021-003 Mojave Security Update 2021-003 Mojave addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212327. APFS Available for: macOS Mojave Impact: A local user may be able to read arbitrary files Description: The issue was addressed with improved permissions logic. CVE-2021-1797: Thomas Tempelmann Audio Available for: macOS Mojave Impact: An application may be able to read restricted memory Description: A memory corruption issue was addressed with improved validation. CVE-2021-1808: JunDong Xie of Ant Security Light-Year Lab CFNetwork Available for: macOS Mojave Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A memory initialization issue was addressed with improved memory handling. CVE-2021-1857: an anonymous researcher CoreAudio Available for: macOS Mojave Impact: A malicious application may be able to read restricted memory Description: A memory corruption issue was addressed with improved validation. CVE-2021-1809: JunDong Xie of Ant Security Light-Year Lab CoreGraphics Available for: macOS Mojave Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2021-1847: Xuwei Liu of Purdue University CoreText Available for: macOS Mojave Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: A logic issue was addressed with improved state management. CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab curl Available for: macOS Mojave Impact: A remote attacker may be able to cause a denial of service Description: A buffer overflow was addressed with improved input validation. CVE-2020-8285: xnynx curl Available for: macOS Mojave Impact: An attacker may provide a fraudulent OCSP response that would appear valid Description: This issue was addressed with improved checks. CVE-2020-8286: an anonymous researcher DiskArbitration Available for: macOS Mojave Impact: A malicious application may be able to modify protected parts of the file system Description: A permissions issue existed in DiskArbitration. This was addressed with additional ownership checks. CVE-2021-1784: Csaba Fitzl (@theevilbit) of Offensive Security, an anonymous researcher, and Mikko Kenttälä (@Turmio_) of SensorFu FontParser Available for: macOS Mojave Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-1881: Hou JingYi (@hjy79425575) of Qihoo 360, an anonymous researcher, Xingwei Lin of Ant Security Light-Year Lab, and Mickey Jin of Trend Micro FontParser Available for: macOS Mojave Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2020-27942: an anonymous researcher Foundation Available for: macOS Mojave Impact: A malicious application may be able to gain root privileges Description: A validation issue was addressed with improved logic. CVE-2021-1813: Cees Elzinga ImageIO Available for: macOS Mojave Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-1843: Ye Zhang of Baidu Security Intel Graphics Driver Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write was addressed with improved input validation. CVE-2021-1805: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Intel Graphics Driver Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2021-1806: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Intel Graphics Driver Available for: macOS Mojave Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2021-1834: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Kernel Available for: macOS Mojave Impact: A malicious application may be able to disclose kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2021-1860: @0xalsr Kernel Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved state management. CVE-2021-1851: @0xalsr Kernel Available for: macOS Mojave Impact: A local attacker may be able to elevate their privileges Description: A memory corruption issue was addressed with improved validation. CVE-2021-1840: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab libxpc Available for: macOS Mojave Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2021-30652: James Hutchins libxslt Available for: macOS Mojave Impact: Processing a maliciously crafted file may lead to heap corruption Description: A double free issue was addressed with improved memory management. CVE-2021-1875: Found by OSS-Fuzz NSRemoteView Available for: macOS Mojave Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2021-1876: Matthew Denton of Google Chrome Preferences Available for: macOS Mojave Impact: A local user may be able to modify protected parts of the file system Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2021-1739: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com) smbx Available for: macOS Mojave Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An integer overflow was addressed with improved input validation. CVE-2021-1878: Aleksandar Nikolic of Cisco Talos (talosintelligence.com) Tailspin Available for: macOS Mojave Impact: A local attacker may be able to elevate their privileges Description: A logic issue was addressed with improved state management. CVE-2021-1868: Tim Michaud of Zoom Communications tcpdump Available for: macOS Mojave Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-8037: an anonymous researcher Time Machine Available for: macOS Mojave Impact: A local attacker may be able to elevate their privileges Description: The issue was addressed with improved permissions logic. CVE-2021-1839: Tim Michaud(@TimGMichaud) of Zoom Video Communications and Gary Nield of ECSC Group plc Wi-Fi Available for: macOS Mojave Impact: An application may be able to cause unexpected system termination or write kernel memory Description: A memory corruption issue was addressed with improved validation. CVE-2021-1828: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab wifivelocityd Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with system privileges Description: The issue was addressed with improved permissions logic. CVE-2020-3838: Dayton Pidhirney (@_watbulb) Windows Server Available for: macOS Mojave Impact: A malicious application may be able to unexpectedly leak a user's credentials from secure text fields Description: An API issue in Accessibility TCC permissions was addressed with improved state management. CVE-2021-1873: an anonymous researcher Installation note: This update may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCHO2EACgkQZcsbuWJ6 jjBHBhAAmHYbcREaaxOXQwrb56He+ool1GyXUCGknHRnEO6Ik0nyE/GeUPuv8Y/Q /ywr188mv3ehtjFlXWpHtqwOn0KoNlAlcE+jy9r3QGTxNmBM2z30FeC0wiYYEi7s I5xWkZIcnO1jq2CMGVHHfbLhyLnkWblwWvCOWriCRzbTocEWgEqwrh/uguTVRWB4 oVo8+uHcdiS2gqS0LIMbbvP6SGkfPwVlL8Mr/e96xdditiRbZX01GkAm0l5ezYHt xrs8378fmQK3su4dHrkHpFpTmT3Yib8Jtotat8cgu6lWxLGEFR5kOye4QIjFCl/a UhnR52nlMyYlh4anbqUs7PAh2QDVa3scaRfGTdAogPfaZIAhaaiuj8qXUOsAxEhk rf0TOXmgCDfhuaA08Ys43sgUgunPLOa2+jMT4VspLZxDTkWLDrGFjlM4P5643WrT ITAKLoqq8SOhce6gd3VECvG+EK/fBWrdwzsVDzfxU3yW3kSCKxX25KcRePwJZAAu s1ZZpIZdY7rmi1DwafNSig2dncjUZJy6AhiI5w6cpQzBOQVioU8oac2JDi1X2Rn1 k/D3VQfmYas7HGqUSwx3MUx+yybktm+8Ogo+vtcRKCzUF5t13bwpyAda0mJ62c6L I/ISWomRdC4XX3AQL5EJLzO9slpOBqWsbQb0cULdt+mb4H+nLDE= =NZ77 -----END PGP SIGNATURE----- . Security Fix(es): * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196) It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. This has been fixed (CVE-2021-3703). Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1983651 - Release of OpenShift Serverless Serving 1.17.0 1983654 - Release of OpenShift Serverless Eventing 1.17.0 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196 5

Trust: 2.52

sources: NVD: CVE-2020-8286 // JVNDB: JVNDB-2020-014405 // VULHUB: VHN-186411 // VULMON: CVE-2020-8286 // PACKETSTORM: 163789 // PACKETSTORM: 162837 // PACKETSTORM: 163193 // PACKETSTORM: 163209 // PACKETSTORM: 162877 // PACKETSTORM: 162360 // PACKETSTORM: 162362 // PACKETSTORM: 164192

AFFECTED PRODUCTS

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:netappmodel:hci storage nodescope:eqversion: -

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:gteversion:8.2.0

Trust: 1.0

vendor:oraclemodel:communications cloud native core policyscope:eqversion:1.14.0

Trust: 1.0

vendor:oraclemodel:essbasescope:eqversion:21.2

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:applemodel:mac os xscope:ltversion:10.15.7

Trust: 1.0

vendor:netappmodel:clustered data ontapscope:eqversion: -

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:ltversion:8.2.12

Trust: 1.0

vendor:netappmodel:hci management nodescope:eqversion: -

Trust: 1.0

vendor:applemodel:macosscope:ltversion:11.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.15.7

Trust: 1.0

vendor:siemensmodel:sinec infrastructure network servicesscope:ltversion:1.0.1.1

Trust: 1.0

vendor:oraclemodel:communications billing and revenue managementscope:eqversion:12.0.0.3.0

Trust: 1.0

vendor:applemodel:macosscope:gteversion:11.0

Trust: 1.0

vendor:applemodel:mac os xscope:ltversion:10.14.6

Trust: 1.0

vendor:applemodel:mac os xscope:gteversion:10.15

Trust: 1.0

vendor:netappmodel:hci bootstrap osscope:eqversion: -

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.14.6

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:eqversion:9.1.0

Trust: 1.0

vendor:haxxmodel:libcurlscope:ltversion:7.74.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:ltversion:9.0.6

Trust: 1.0

vendor:netappmodel:solidfirescope:eqversion: -

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.58

Trust: 1.0

vendor:splunkmodel:universal forwarderscope:gteversion:9.0.0

Trust: 1.0

vendor:siemensmodel:simatic tim 1531 ircscope:lteversion:2.2

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:haxxmodel:libcurlscope:gteversion:7.41.0

Trust: 1.0

vendor:netappmodel:clustered data ontapscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:tim 1531 ircscope: - version: -

Trust: 0.8

vendor:アップルmodel:apple mac os xscope: - version: -

Trust: 0.8

vendor:netappmodel:solidfirescope: - version: -

Trust: 0.8

vendor:haxxmodel:libcurlscope: - version: -

Trust: 0.8

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

vendor:netappmodel:hci storage nodescope: - version: -

Trust: 0.8

vendor:netappmodel:hci bootstrap osscope: - version: -

Trust: 0.8

vendor:netappmodel:hci management nodescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-014405 // NVD: CVE-2020-8286

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-8286
value: HIGH

Trust: 1.0

NVD: CVE-2020-8286
value: HIGH

Trust: 0.8

VULHUB: VHN-186411
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-8286
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-8286
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-186411
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-8286
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-8286
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-186411 // VULMON: CVE-2020-8286 // JVNDB: JVNDB-2020-014405 // NVD: CVE-2020-8286

PROBLEMTYPE DATA

problemtype:CWE-295

Trust: 1.1

problemtype:Bad certificate verification (CWE-295) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-186411 // JVNDB: JVNDB-2020-014405 // NVD: CVE-2020-8286

TYPE

overflow, code execution

Trust: 0.2

sources: PACKETSTORM: 162360 // PACKETSTORM: 162362

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-186411

PATCH

title:SSA-200951url:https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html

Trust: 0.8

title:Debian CVElist Bug Report Logs: curl: CVE-2020-8286: Inferior OCSP verificationurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=94b5024386b61af7dfe7d6777c542252

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2020-8286 log

Trust: 0.1

title:Amazon Linux 2: ALAS2-2021-1693url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2021-1693

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=f387a8b703f2e28130691e84d6b3091f

Trust: 0.1

title:Debian Security Advisories: DSA-4881-1 curl -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=a9706a30f62799ecc4d45bdb53c244eb

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=4a9822530e6b610875f83ffc10e02aba

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d

Trust: 0.1

title:envoy_mtlsurl:https://github.com/salrashid123/envoy_mtls

Trust: 0.1

title:ecr-apiurl:https://github.com/YaleSpinup/ecr-api

Trust: 0.1

title:myapp-container-jaxrsurl:https://github.com/akiraabe/myapp-container-jaxrs

Trust: 0.1

sources: VULMON: CVE-2020-8286 // JVNDB: JVNDB-2020-014405

EXTERNAL IDS

db:NVDid:CVE-2020-8286

Trust: 2.8

db:HACKERONEid:1048457

Trust: 1.9

db:SIEMENSid:SSA-389290

Trust: 1.1

db:SIEMENSid:SSA-200951

Trust: 1.1

db:JVNid:JVNVU95781418

Trust: 0.8

db:JVNDBid:JVNDB-2020-014405

Trust: 0.8

db:PACKETSTORMid:162362

Trust: 0.2

db:PACKETSTORMid:163193

Trust: 0.2

db:PACKETSTORMid:162360

Trust: 0.2

db:PACKETSTORMid:160706

Trust: 0.1

db:PACKETSTORMid:163197

Trust: 0.1

db:PACKETSTORMid:163267

Trust: 0.1

db:PACKETSTORMid:162358

Trust: 0.1

db:PACKETSTORMid:163257

Trust: 0.1

db:PACKETSTORMid:163496

Trust: 0.1

db:PACKETSTORMid:160423

Trust: 0.1

db:PACKETSTORMid:163276

Trust: 0.1

db:PACKETSTORMid:162629

Trust: 0.1

db:VULHUBid:VHN-186411

Trust: 0.1

db:VULMONid:CVE-2020-8286

Trust: 0.1

db:PACKETSTORMid:163789

Trust: 0.1

db:PACKETSTORMid:162837

Trust: 0.1

db:PACKETSTORMid:163209

Trust: 0.1

db:PACKETSTORMid:162877

Trust: 0.1

db:PACKETSTORMid:164192

Trust: 0.1

sources: VULHUB: VHN-186411 // VULMON: CVE-2020-8286 // JVNDB: JVNDB-2020-014405 // PACKETSTORM: 163789 // PACKETSTORM: 162837 // PACKETSTORM: 163193 // PACKETSTORM: 163209 // PACKETSTORM: 162877 // PACKETSTORM: 162360 // PACKETSTORM: 162362 // PACKETSTORM: 164192 // NVD: CVE-2020-8286

REFERENCES

url:https://hackerone.com/reports/1048457

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2020-8286

Trust: 1.2

url:https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf

Trust: 1.1

url:https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Trust: 1.1

url:https://security.netapp.com/advisory/ntap-20210122-0007/

Trust: 1.1

url:https://support.apple.com/kb/ht212325

Trust: 1.1

url:https://support.apple.com/kb/ht212326

Trust: 1.1

url:https://support.apple.com/kb/ht212327

Trust: 1.1

url:https://www.debian.org/security/2021/dsa-4881

Trust: 1.1

url:http://seclists.org/fulldisclosure/2021/apr/50

Trust: 1.1

url:http://seclists.org/fulldisclosure/2021/apr/51

Trust: 1.1

url:http://seclists.org/fulldisclosure/2021/apr/54

Trust: 1.1

url:https://security.gentoo.org/glsa/202012-14

Trust: 1.1

url:https://curl.se/docs/cve-2020-8286.html

Trust: 1.1

url:https://www.oracle.com//security-alerts/cpujul2021.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuapr2021.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuapr2022.html

Trust: 1.1

url:https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/nzuvsqhn2eshmjxnq2z7t2eelbb5hjxg/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/daehe2s2qlo4ao4meeyl75nb7sah5psl/

Trust: 1.0

url:https://jvn.jp/vu/jvnvu95781418/

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2020-8286

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2020-8285

Trust: 0.6

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.6

url:https://bugzilla.redhat.com/):

Trust: 0.6

url:https://access.redhat.com/security/team/contact/

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2020-8284

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2020-28196

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-15358

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-13434

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-8231

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-29362

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2016-10228

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2019-9169

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-25013

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-29361

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-9169

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2021-3326

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2019-25013

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2019-2708

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-8927

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-29363

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-2708

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2016-10228

Trust: 0.5

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-27618

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2020-13543

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-9951

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-9948

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2019-13012

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-13434

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-26116

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-13584

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-26137

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-27619

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-9983

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2021-3177

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2021-23336

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-13012

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-8285

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-14347

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-25712

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2017-14502

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-36242

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2017-14502

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2019-14866

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-14363

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-14866

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-13543

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-14360

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-13584

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-12362

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-25659

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-14345

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-14344

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-14362

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-14361

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-12362

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-14346

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2021-20305

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2019-3842

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-13776

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2020-24977

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-3842

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-25039

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-14346

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-23240

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3520

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25037

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-23239

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25037

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3537

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3518

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-28935

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3516

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25034

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25035

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25038

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-14345

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25040

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3517

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25042

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25042

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25038

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3541

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25032

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25041

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25036

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25032

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-20271

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-25215

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25036

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-14344

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25035

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25039

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-25040

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25041

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-25034

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-36322

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-12114

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-12114

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-27835

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-25704

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-13776

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3121

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-10878

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-19528

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-0431

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-18811

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-19528

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-12464

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-14314

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-14356

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-27786

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-25643

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-24394

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-0431

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-0342

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-18811

Trust: 0.2

url:https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-19523

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-10543

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-25285

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-35508

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-25212

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-19523

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-28974

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-10543

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-15437

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-25284

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-10878

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-11608

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-11608

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-12464

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-8284

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-15358

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-27618

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-8231

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3449

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-27783

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-28196

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3450

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-29362

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-29363

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-29361

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1860

Trust: 0.2

url:https://support.apple.com/kb/ht201222

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1857

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1813

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1840

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1876

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1739

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1851

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1828

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1809

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1875

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-8037

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1784

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1847

Trust: 0.2

url:https://support.apple.com/downloads/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1843

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-27942

Trust: 0.2

url:https://www.apple.com/support/security/pgp/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1811

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1839

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-3838

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1797

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1834

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1873

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1808

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-1868

Trust: 0.2

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/daehe2s2qlo4ao4meeyl75nb7sah5psl/

Trust: 0.1

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/nzuvsqhn2eshmjxnq2z7t2eelbb5hjxg/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-12364

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-12363

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33909

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-27219

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-32399

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3560

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-20201

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:3119

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-25217

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-12363

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3114

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-28211

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-12364

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33910

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14347

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14360

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:2136

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14314

Trust: 0.1

url:https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-u

Trust: 0.1

url:https://issues.jboss.org/):

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14356

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22901

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp&downloadtype=securitypatches&version=2.4.37

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22901

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.openssl&downloadtype=securitypatches&version=1.1.1g

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22890

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22876

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.37/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22890

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-8169

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-31618

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-31618

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:2471

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-8169

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22876

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-26116

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:2479

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3139

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-26137

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-27619

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-24977

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-25659

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36242

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-27783

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3528

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-25678

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-25678

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-15586

Trust: 0.1

url:https://docs.openshift.com/container-platform/4.7/updating/updating-cluster

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-16845

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-21645

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-24330

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-21643

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-24331

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-30465

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-21644

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:2121

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-24332

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:2122

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-21642

Trust: 0.1

url:https://support.apple.com/ht212326.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-1810

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-1824

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-1740

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-1878

Trust: 0.1

url:https://support.apple.com/ht212327.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-1806

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-1805

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-27918

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33196

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33195

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-20305

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-27918

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-27218

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33196

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33197

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33195

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33198

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33198

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-31525

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-27218

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-34558

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:3556

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3326

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33197

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-20271

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-8927

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3421

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-31525

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3703

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index

Trust: 0.1

sources: VULHUB: VHN-186411 // JVNDB: JVNDB-2020-014405 // PACKETSTORM: 163789 // PACKETSTORM: 162837 // PACKETSTORM: 163193 // PACKETSTORM: 163209 // PACKETSTORM: 162877 // PACKETSTORM: 162360 // PACKETSTORM: 162362 // PACKETSTORM: 164192 // NVD: CVE-2020-8286

CREDITS

Red Hat

Trust: 0.6

sources: PACKETSTORM: 163789 // PACKETSTORM: 162837 // PACKETSTORM: 163193 // PACKETSTORM: 163209 // PACKETSTORM: 162877 // PACKETSTORM: 164192

SOURCES

db:VULHUBid:VHN-186411
db:VULMONid:CVE-2020-8286
db:JVNDBid:JVNDB-2020-014405
db:PACKETSTORMid:163789
db:PACKETSTORMid:162837
db:PACKETSTORMid:163193
db:PACKETSTORMid:163209
db:PACKETSTORMid:162877
db:PACKETSTORMid:162360
db:PACKETSTORMid:162362
db:PACKETSTORMid:164192
db:NVDid:CVE-2020-8286

LAST UPDATE DATE

2025-04-26T19:52:02.192000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-186411date:2022-05-13T00:00:00
db:VULMONid:CVE-2020-8286date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2020-014405date:2021-08-17T09:01:00
db:NVDid:CVE-2020-8286date:2024-11-21T05:38:39.643

SOURCES RELEASE DATE

db:VULHUBid:VHN-186411date:2020-12-14T00:00:00
db:VULMONid:CVE-2020-8286date:2020-12-14T00:00:00
db:JVNDBid:JVNDB-2020-014405date:2021-08-17T00:00:00
db:PACKETSTORMid:163789date:2021-08-11T16:15:17
db:PACKETSTORMid:162837date:2021-05-27T13:28:54
db:PACKETSTORMid:163193date:2021-06-17T18:01:23
db:PACKETSTORMid:163209date:2021-06-17T18:34:10
db:PACKETSTORMid:162877date:2021-06-01T14:45:29
db:PACKETSTORMid:162360date:2021-04-28T14:58:36
db:PACKETSTORMid:162362date:2021-04-28T15:00:23
db:PACKETSTORMid:164192date:2021-09-17T16:04:56
db:NVDid:CVE-2020-8286date:2020-12-14T20:15:14.043