Show plain JSON{"affected_release": [{"advisory": "RHSA-2020:2861", "cpe": "cpe:/a:redhat:service_mesh:1.0::el8", "impact": "moderate", "package": "servicemesh-grafana-0:6.2.2-38.el8", "product_name": "OpenShift Service Mesh 1.0", "release_date": "2020-07-07T00:00:00Z"}, {"advisory": "RHSA-2020:2796", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "impact": "moderate", "package": "servicemesh-grafana-0:6.4.3-11.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-07-01T00:00:00Z"}], "bugzilla": {"description": "npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js", "id": "1844228", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1844228"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function \"deleteFunctions\" within \"index.js\".", "A flaw was found in the serialize-javascript before version 3.1.0. This flaw allows remote attackers to inject arbitrary code via the function \"deleteFunctions\" within \"index.js.\""], "name": "CVE-2020-7660", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "impact": "low", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "moderate", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "moderate", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:1", "fix_state": "Will not fix", "impact": "moderate", "package_name": "kubevirt-web-ui-container", "product_name": "Red Hat OpenShift Virtualization 1"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "impact": "moderate", "package_name": "kubevirt-web-ui-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "impact": "low", "package_name": "nodejs-serialize-javascript", "product_name": "Red Hat Quay 3"}], "public_date": "2020-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7660\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7660"], "statement": "Red Hat Quay includes serialize-javascript as a dependency of webpack which is only used at build time. The vulnerable library is not used at runtime meaning this has a low impact on Red Hat Quay.\nThe currently supported versions of Container Native Virtualization 2 are not affected by this flaw. However, version 2.0, which is no longer supported, is affected.\nIn OpenShift distributed tracing there is bundled vulnerable version of the serialize-javascript Nodejs package, however access to the vulnerable function is restricted and protected by OpenShift OAuth, hence the impact by this vulnerability is reduced to Low.\nIn Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the serialize-javascript package. \nThe vulnerable code is not used hence the impact to OpenShift Logging by this vulnerability is Low.", "threat_severity": "Important"}