{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-09-30T12:57:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/dgrijalva/jwt-go/pull/426"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-26160", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/dgrijalva/jwt-go/pull/426", "refsource": "MISC", "url": "https://github.com/dgrijalva/jwt-go/pull/426"}, {"name": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:07.136Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dgrijalva/jwt-go/pull/426"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-26160", "datePublished": "2020-09-30T12:57:10", "dateReserved": "2020-09-30T00:00:00", "dateUpdated": "2024-08-04T15:49:07.136Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jwt-go_project:jwt-go:*:*:*:*:*:*:*:*", "matchCriteriaId": "68EAFD08-97E3-4FB2-9F63-9A72A9EAFB75", "versionEndIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check."}, {"lang": "es", "value": "jwt-go versiones anteriores a 4.0.0-preview1, permite a atacantes omitir las restricciones de acceso previstas en situaciones con []string{} para m[\"aud\"] (que est\u00e1 permitido por la especificaci\u00f3n). Porque la aserci\u00f3n de tipo presenta un fallo, \"\" es el valor de aud. Este es un problema de seguridad si el token JWT es presentado para un servicio que carece de su propia comprobaci\u00f3n de audiencia"}], "id": "CVE-2020-26160", "lastModified": "2024-11-21T05:19:24.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-30T18:15:27.397", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dgrijalva/jwt-go/pull/426"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dgrijalva/jwt-go/pull/426"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:5110", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-20-tech-preview/cryostat-operator-bundle:2.0.0-6.1639085863", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:5110", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-20-tech-preview/cryostat-rhel8-operator:2.0.0-5", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/client-kn-rhel8:0.19.1-4", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.19.2-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.13.0-6", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.13.0-6", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.19.1-2", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/kourier-control-rhel8:0.19.0-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.13.0-9", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.13.0-6", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-activator-rhel8:0.19.0-5", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.19.0-5", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.19.0-5", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-controller-rhel8:0.19.0-5", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:0.19.0-5", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.19.0-5", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-queue-rhel8:0.19.0-6", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.19.0-5", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:0.19.0-5", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2021:0516", "cpe": "cpe:/a:redhat:serverless:1.13::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.13.0-3", "product_name": "Openshift Serveless 1.13", "release_date": "2021-02-18T00:00:00Z"}, {"advisory": "RHSA-2020:5633", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-azure-machine-controllers:v4.7.0-202102130115.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2021:2438", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-baremetal-installer-rhel8:v4.8.0-202106291913.p0.git.a5ddd2d.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-07-27T00:00:00Z"}, {"advisory": "RHSA-2021:2438", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-etcd:v4.8.0-202106152230.p0.git.aefa6bf.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-07-27T00:00:00Z"}, {"advisory": "RHSA-2021:2041", "cpe": "cpe:/a:redhat:openshift_container_storage:4.7::el8", "impact": "low", "package": "ocs4/mcg-rhel8-operator:5.7.0-69.85e2026.5.7", "product_name": "Red Hat OpenShift Container Storage 4.7.0 on RHEL-8", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHSA-2021:2042", "cpe": "cpe:/a:redhat:openshift_container_storage:4.7::el8", "impact": "low", "package": "mcg-0:5.7.0-69.85e2026.5.7.el8", "product_name": "Red Hat OpenShift Container Storage 4.7.0 on RHEL-8", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHSA-2021:0799", "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8", "package": "kubevirt-cpu-model-nfd-plugin-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2021-03-10T00:00:00Z"}, {"advisory": "RHSA-2021:0799", "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8", "package": "kubevirt-cpu-node-labeller-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2021-03-10T00:00:00Z"}, {"advisory": "RHSA-2021:0799", "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8", "package": "kubevirt-kvm-info-nfd-plugin-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2021-03-10T00:00:00Z"}, {"advisory": "RHSA-2021:0799", "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8", "package": "vm-import-controller-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2021-03-10T00:00:00Z"}], "bugzilla": {"description": "jwt-go: access restriction bypass vulnerability", "id": "1883371", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883371"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-284", "details": ["jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", "A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m[\"aud\"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is \"\". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false."], "name": "CVE-2020-26160", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-rhel7-operator", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "package_name": "kiali", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "jwt-go", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift-cluster-autoscaler", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift-service-idler", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/ose-service-catalog", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/prometheus", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-baremetal-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cloud-credential-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-cluster-autoscaler-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-cluster-image-registry-rhel9-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-cluster-ingress-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-logging-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-coredns-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-deployer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-descheduler", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-docker-registry", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-elasticsearch-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-helm-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-hyperkube-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-kube-proxy", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-kube-state-metrics-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-metering-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-metering-helm-container-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-metering-reporting-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-oauth-apiserver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-openshift-apiserver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-openshift-state-metrics-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-operator-marketplace", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-ptp-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-service-catalog", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-sriov-network-config-daemon", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-sriov-network-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-sriov-network-webhook", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-telemeter", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-tests", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Not affected", "package_name": "ovs-cni-plugin", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Out of support scope", "package_name": "virt-cdi-apiserver", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Out of support scope", "package_name": "virt-cdi-cloner", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Out of support scope", "package_name": "virt-cdi-controller", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Out of support scope", "package_name": "virt-cdi-importer", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Out of support scope", "package_name": "virt-cdi-operator", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Out of support scope", "package_name": "virt-cdi-uploadproxy", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Out of support scope", "package_name": "virt-cdi-uploadserver", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Not affected", "package_name": "virt-controller", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "bridge-marker", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "cluster-network-addons-operator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hostpath-provisioner", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hostpath-provisioner-operator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "hyperconverged-cluster-operator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "kubemacpool", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Will not fix", "package_name": "kubernetes-nmstate-handler", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-metrics-collector", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "node-maintenance-operator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "ovs-cni-marker", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "ovs-cni-plugin", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-apiserver", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-cloner", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-controller", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-importer", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-uploadproxy", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-uploadserver", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-controller", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "vm-import-controller", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "vm-import-operator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay-bridge-operator", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay-setup-operator", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "multi-cloud-object-gateway-cli", "product_name": "Red Hat Storage 3"}], "public_date": "2020-09-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-26160\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26160\nhttps://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"], "statement": "The github.com/dgrijalva/jwt-go module is an indirect dependency of the k8s.io/client-go module pulled into Quay Bridge, and Setup operators via the Operator's SDK generated code. The k8s.io/client-go module does not use jwt-go in an unsafe way [1]. Red Hat Quay components have been marked as wontfix. This may be fixed in the future.\nSimilar to Quay, multiple OpenShift Container Platform (OCP) containers include jwt-go as a transient dependency due to go-autorest [1]. As such, those containers do not use jwt-go in an unsafe way. They have been marked wontfix at this time and may be fixed in a future update.\nSame as Quay and OpenShift Container Platform, components shipped with Red Hat OpenShift Container Storage 4 do not use jwt-go in an unsafe way and hence this issue has been rated as having a security impact of Low. A future update may address this issue.\nRed Hat Gluster Storage 3 shipped multi-cloud-object-gateway-cli as a technical preview and is not currently planned to be addressed in future updates, hence the multi-cloud-object-gateway-cli package will not be fixed.\n[1] https://github.com/Azure/go-autorest/issues/568#issuecomment-703804062", "threat_severity": "Moderate"}