이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 6. Fixed security issues
This section lists security issues fixed in Red Hat Developer Hub 1.3.
6.1. Red Hat Developer Hub 1.3.5
6.1.1. Red Hat Developer Hub dependency updates
- CVE-2025-22150
-
A flaw was found in the undici package for Node.js. Undici uses
Math.random()to choose the boundary for a multipart/form-data request. It is known that the output ofMath.random()can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests to an attacker-controlled website, it can leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met.
6.2. Red Hat Developer Hub 1.3.4
6.2.1. Red Hat Developer Hub dependency updates
- CVE-2024-45338
- A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.
- CVE-2024-52798
- A flaw was found in path-to-regexp. A path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance.
- CVE-2024-55565
- nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
- CVE-2024-56201
- A flaw was found in the Jinja2 package. A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of Jinja’s sandbox being used. An attacker needs to be able to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates where the template author can also choose the template filename.
- CVE-2024-56326
- A flaw was found in the Jinja package. In affected versions of Jinja, an oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja’s sandbox does catch calls to str.format and ensures they don’t escape the sandbox. However, storing a reference to a malicious string’s format method is possible, then passing that to a filter that calls it. No such filters are built into Jinja but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.
6.2.2. RHEL 9 platform RPM updates
- CVE-2024-9287
-
A vulnerability has been found in the Python
venvmodule and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, for example, "source venv/bin/activate". This flaw allows attacker-controlled virtual environments to run commands when the virtual environment is activated. - CVE-2024-11168
-
A flaw was found in Python. The
urllib.parse.urlsplit()andurlparse()functions improperly validated bracketed hosts ([]), allowing hosts that weren’t IPv6 or IPvFuture compliant. This behavior was not conformant to RFC 3986 and was potentially vulnerable to server-side request forgery (SSRF) if a URL is processed by more than one URL parser. - CVE-2024-34156
- A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- CVE-2024-46713
- In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization
- CVE-2024-50208
- In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages
- CVE-2024-50252
- In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
- CVE-2024-53122
- A divide by zero flaw was found in the Linux kernel’s Multipath TCP (MPTCP). This issue could allow a remote user to crash the system.
6.3. Red Hat Developer Hub 1.3.3
6.3.1. Red Hat Developer Hub dependency updates
- CVE-2024-21538
- A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.
6.3.2. RHEL 9 platform RPM updates
- CVE-2024-0450
- A flaw was found in the Python/CPython 'zipfile' that can allow a zip-bomb type of attack. An attacker may craft a zip file format, leading to a Denial of Service when processed.
- CVE-2024-2236
- A timing-based side-channel flaw was found in libgcrypt’s RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
- CVE-2024-3596
- A vulnerability in the RADIUS (Remote Authentication Dial-In User Service) protocol allows attackers to forge authentication responses when the Message-Authenticator attribute is not enforced. This issue arises from a cryptographically insecure integrity check using MD5, enabling attackers to spoof UDP-based RADIUS response packets. This can result in unauthorized access by modifying an Access-Reject response to an Access-Accept response, thereby compromising the authentication process.
- CVE-2024-3727
- A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
- CVE-2024-6104
- A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. This issue could expose sensitive authentication information.
- CVE-2024-8088
- A flaw was found in Python’s zipfile module. When iterating over the entries of a zip archive, the process can enter into an infinite loop state and become unresponsive. This flaw allows an attacker to craft a malicious ZIP archive, leading to a denial of service from the application consuming the zipfile module. Only applications that handle user-controlled zip archives are affected by this vulnerability.
- CVE-2024-24788
- A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions.
- CVE-2024-24791
- A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
- CVE-2024-30203
- A flaw was found in Emacs. When Emacs is used as an email client, inline MIME attachments are considered to be trusted by default, allowing a crafted LaTeX document to exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.
- CVE-2024-30204
- A flaw was found in Emacs. When Emacs is used as an email client, a preview of a crafted LaTeX document attached to an email can exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.
- CVE-2024-30205
- A flaw was found in Emacs. Org mode considers the content of remote files, such as files opened with TRAMP on remote systems, to be trusted, resulting in arbitrary code execution.
- CVE-2024-42283
- In the Linux kernel, the following vulnerability has been resolved: net: nexthop: Initialize all fields in dumped nexthops
- CVE-2024-45005
- In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix validity interception issue when gisa is switched off
- CVE-2024-46824
- In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops
- CVE-2024-46858
- In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: Fix uaf in __timer_delete_sync
- CVE-2024-50602
- A security issue was found in Expat (libexpat). A crash can be triggered in the XML_ResumeParser function due to XML_StopParser’s ability to stop or suspend an unstarted parser, which can lead to a denial of service.
6.4. Red Hat Developer Hub 1.3.1
6.4.1. Red Hat Developer Hub dependency updates
- CVE-2024-21536
- A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths.
- CVE-2024-37890
- A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service.
- CVE-2024-45590
- A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.
6.4.2. RHEL 9 platform RPM updates
- CVE-2021-47385
- In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field
- CVE-2023-28746
- A vulnerability was found in some Intel Atom Processor’s microcode. This issue may allow a malicious actor to achieve a local information disclosure, impacting the data confidentiality of the targeted system.
- CVE-2023-52658
- CVE-2023-52658 is a vulnerability in the Linux kernel’s Mellanox MLX5 driver, specifically related to the switchdev mode. A previous commit intended to block entering switchdev mode due to namespace inconsistencies inadvertently caused system crashes. To address this, the problematic commit was reverted, restoring stability. Users should update their Linux kernel to a version that includes this reversion to ensure reliable operation.
- CVE-2024-6232
- A regular expression denial of service (ReDos) vulnerability was found in Python’s tarfile module. Due to excessive backtracking while tarfile parses headers, an attacker may be able to trigger a denial of service via a specially crafted tar archive.
- CVE-2024-9355
- A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
- CVE-2024-27403
- In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_flow_offload: reset dst in route object after setting up flow
- CVE-2024-34156
- A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- CVE-2024-35989
- This is a vulnerability in the Linux kernel’s Data Movement Accelerator (DMA) engine, specifically affecting the Intel Data Streaming Accelerator (IDXD) driver. The issue arises during the removal (rmmod) of the idxd driver on systems with only one active CPU. In such scenarios, the driver’s cleanup process attempts to migrate performance monitoring unit (PMU) contexts to another CPU. However, with no other CPUs available, this leads to a kernel oops—a serious error causing the system to crash.
- CVE-2024-36889
- In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is properly initialized on connect
- CVE-2024-36978
- An out-of-bounds write flaw was found in the Linux kernel’s multiq qdisc functionality. This vulnerability allows a local user to crash or potentially escalate their privileges on the system.
- CVE-2024-38556
- In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Add a timeout to acquire the command queue semaphore
- CVE-2024-39483
- In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked
- CVE-2024-39502
- In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del()
- CVE-2024-40959
- In the Linux kernel, the following vulnerability has been resolved: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
- CVE-2024-42079
- In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush
- CVE-2024-42272
- In the Linux kernel, the following vulnerability has been resolved: sched: act_ct: take care of padding in struct zones_ht_key
- CVE-2024-42284
- A flaw was found in Linux kernel tipc. tipc_udp_addr2str() does not return a nonzero value when UDP media address is invalid, which can result in a buffer overflow in tipc_media_addr_printf().
6.5. Red Hat Developer Hub 1.3.0
6.5.1. Red Hat Developer Hub dependency updates
- CVE-2024-21529
- A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.
- CVE-2024-24790
- A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn’t behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
- CVE-2024-24791
- A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
- CVE-2024-37891
-
A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the
Proxy-AuthorizationHTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects. - CVE-2024-39008
- A flaw was found in the fast-loops Node.js package. This flaw allows an attacker to alter the behavior of all objects inheriting from the affected prototype by passing arguments to the objectMergeDeep function crafted with the built-in property: proto. This issue can potentially lead to a denial of service, remote code execution, or Cross-site scripting.
- CVE-2024-39249
- A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
- CVE-2024-41818
- A regular expression denial of service (ReDoS) flaw was found in fast-xml-parser in the currency.js script. By sending a specially crafted regex input, a remote attacker could cause a denial of service condition.
- CVE-2024-43788
-
A DOM Clobbering vulnerability was found in Webpack via
AutoPublicPathRuntimeModule. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script through seemingly benign HTML markups in the webpage, for example, through a post or comment, and leverages the gadgets (pieces of JS code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to Cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or ID attributes. - CVE-2024-43799
- A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.
- CVE-2024-43800
- A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().
6.5.2. RHEL 9 platform RPM updates
- CVE-2023-52439
- A flaw was found in the Linux kernel’s uio subsystem. A use-after-free memory flaw in the uio_open functionality allows a local user to crash or escalate their privileges on the system.
- CVE-2023-52884
- In the Linux kernel, the following vulnerability has been resolved: Input: cyapa - add missing input core locking to suspend/resume functions
- CVE-2024-6119
- A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.
- CVE-2024-26739
- A use-after-free flaw was found in net/sched/act_mirred.c in the Linux kernel. This may result in a crash.
- CVE-2024-26929
- A flaw was found in the qla2xxx module in the Linux kernel. Under some conditions, the fcport can be freed twice due to a missing check of whether fcport is allocated, causing a double free and a system crash, resulting in a denial of service.
- CVE-2024-26930
- A vulnerability was found in the Linux kernel. A potential double-free in the pointer ha→vp_map exists in the Linux kernel in drivers/scsi/qla2xxx/qla_os.c.
- CVE-2024-26931
- A flaw was found in the qla2xxx module in the Linux kernel. A NULL pointer dereference can be triggered when the system is under memory stress and the driver cannot allocate memory to handle the error recovery of cable pull, causing a system crash and a denial of service.
- CVE-2024-26947
- A flaw was found in the Linux kernel’s ARM memory management functionality, where certain memory layouts cause a kernel panic. This flaw allows an attacker who can specify or alter memory layouts to cause a denial of service.
- CVE-2024-26991
- A flaw was found in the Linux Kernel. A lpage_info overflow can occur when checking attributes. This may lead to a crash.
- CVE-2024-27022
- A flaw was found in the Linux kernel. A race condition can occur when the fork system call is called due to improper locking, triggering a warning, impacting system stability, and resulting in a denial of service.
- CVE-2024-35895
- CVE-2024-35895 addresses a vulnerability in the Linux kernel’s Berkeley Packet Filter (BPF) subsystem, specifically within the sockmap feature. The issue arises when BPF tracing programs, which can execute in various interrupt contexts, attempt to delete elements from sockmap or sockhash maps. This operation involves acquiring locks that are not safe for use in hard interrupt contexts, leading to potential deadlocks due to lock inversion. BPF tracing programs may delete elements from sockmap/sockhash maps while running in interrupt contexts where the required locks are not hardirq-safe, causing possible deadlocks.
- CVE-2024-36016
-
A vulnerability was found in the Linux kernel’s
n_gsmdriver, affecting thettysubsystem. It occurs when switching between basic and advanced option modes in GSM multiplexing, leading to potential out-of-bounds memory writes. This happens because certain state variables, likegsm→lenandgsm→state, are not properly reset during mode changes. The issue could result in memory corruption. - CVE-2024-36899
- In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify
- CVE-2024-38562
- In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: Avoid address calculations via out of bounds array indexing
- CVE-2024-38570
- In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount
- CVE-2024-38573
- A NULL pointer dereference flaw was found in cppc_cpufreq_get_rate() in the Linux kernel. This issue may result in a crash.
- CVE-2024-38601
- In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks
- CVE-2024-38615
- In the Linux kernel, the following vulnerability has been resolved: cpufreq: exit() callback is optional
- CVE-2024-39331
- A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.
- CVE-2024-40984
- In the Linux kernel, the following vulnerability has been resolved: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
- CVE-2024-41071
- An out-of-bounds buffer overflow has been found in the Linux kernel’s mac80211 subsystem when scanning for SSIDs. Address calculation using out-of-bounds array indexing could result in an attacker crafting an exploit, resulting in the complete compromise of a system.
- CVE-2024-42225
- A potential flaw was found in the Linux kernel’s MediaTek WiFi, where it was reusing uninitialized data. This flaw allows a local user to gain unauthorized access to some data potentially.
- CVE-2024-42246
- In the Linux kernel, the following vulnerability has been resolved: net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket
- CVE-2024-45490
- A flaw was found in libexpat’s xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function.
- CVE-2024-45491
- An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX.
- CVE-2024-45492
- A flaw was found in libexpat’s internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX.
