CVE-2024-51744 - Vulnerability Details

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

References

Link	Providers
https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r
https://nvd.nist.gov/vuln/detail/CVE-2024-51744
https://www.cve.org/CVERecord?id=CVE-2024-51744

History

Tue, 05 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 05 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-51744 https://www.cve.org/CVERecord?id=CVE-2024-51744
Metrics	threat_severity `None`	threat_severity `Low`

Mon, 04 Nov 2024 22:00:00 +0000

Type	Values Removed	Values Added
Description		golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.
Title		Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt
Weaknesses		CWE-755
References		https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-04T21:47:12.170Z

Updated: 2024-11-05T16:11:42.243Z

Reserved: 2024-10-31T14:12:45.789Z

Link: CVE-2024-51744

Vulnrichment

Updated: 2024-11-05T16:11:37.984Z

NVD

Status : Awaiting Analysis

Published: 2024-11-04T22:15:03.997

Modified: 2024-11-05T16:04:26.053

Link: CVE-2024-51744

Redhat

Severity : Low

Publid Date: 2024-11-04T21:47:12Z

Links: CVE-2024-51744 - Bugzilla

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-51744", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-31T14:12:45.789Z", "datePublished": "2024-11-04T21:47:12.170Z", "dateUpdated": "2024-11-05T16:11:42.243Z"}, "containers": {"cna": {"title": "Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", "problemTypes": [{"descriptions": [{"cweId": "CWE-755", "lang": "en", "description": "CWE-755: Improper Handling of Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r"}, {"name": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c", "tags": ["x_refsource_MISC"], "url": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c"}], "affected": [{"vendor": "golang-jwt", "product": "jwt", "versions": [{"version": "< 4.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-04T21:47:12.170Z"}, "descriptions": [{"lang": "en", "value": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above."}], "source": {"advisory": "GHSA-29wx-vh33-7x7r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-05T16:11:29.522504Z", "id": "CVE-2024-51744", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T16:11:42.243Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2024-51744 (string)

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

state : PUBLISHED (string)

assignerShortName : GitHub_M (string)

dateReserved : 2024-10-31T14:12:45.789Z (string)

datePublished : 2024-11-04T21:47:12.170Z (string)

dateUpdated : 2024-11-05T16:11:42.243Z (string)

}

containers : { »

cna : { »

title : Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (string)

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-755 (string)

lang : en (string)

description : CWE-755: Improper Handling of Exceptional Conditions (string)

type : CWE (string)

}

]

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 3.1 (number)

baseSeverity : LOW (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

]

references : [ »

0 : { »

name : https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r (string)

}

1 : { »

name : https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c (string)

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c (string)

}

]

affected : [ »

0 : { »

vendor : golang-jwt (string)

product : jwt (string)

versions : [ »

0 : { »

version : < 4.5.1 (string)

status : affected (string)

}

]

}

]

providerMetadata : { »

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

dateUpdated : 2024-11-04T21:47:12.170Z (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above. (string)

}

]

source : { »

advisory : GHSA-29wx-vh33-7x7r (string)

discovery : UNKNOWN (string)

}

adp : [ »

0 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2024-11-05T16:11:29.522504Z (string)

id : CVE-2024-51744 (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-11-05T16:11:42.243Z (string)

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-51744", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-05T16:11:29.522504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T16:11:37.984Z"}}], "cna": {"title": "Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", "source": {"advisory": "GHSA-29wx-vh33-7x7r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "golang-jwt", "product": "jwt", "versions": [{"status": "affected", "version": "< 4.5.1"}]}], "references": [{"url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", "name": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c", "name": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-755", "description": "CWE-755: Improper Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-04T21:47:12.170Z"}}}, "cveMetadata": {"cveId": "CVE-2024-51744", "state": "PUBLISHED", "dateUpdated": "2024-11-05T16:11:42.243Z", "dateReserved": "2024-10-31T14:12:45.789Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-04T21:47:12.170Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-51744 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-11-05T16:11:29.522504Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-11-05T16:11:37.984Z (string)

}

]

cna : { »

title : Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (string)

source : { »

advisory : GHSA-29wx-vh33-7x7r (string)

discovery : UNKNOWN (string)

}

metrics : [ »

0 : { »

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 3.1 (number)

attackVector : NETWORK (string)

baseSeverity : LOW (string)

vectorString : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (string)

integrityImpact : NONE (string)

userInteraction : REQUIRED (string)

attackComplexity : HIGH (string)

availabilityImpact : NONE (string)

privilegesRequired : NONE (string)

confidentialityImpact : LOW (string)

}

]

affected : [ »

0 : { »

vendor : golang-jwt (string)

product : jwt (string)

versions : [ »

0 : { »

status : affected (string)

version : < 4.5.1 (string)

}

]

}

]

references : [ »

0 : { »

url : https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r (string)

name : https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

]

}

1 : { »

url : https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c (string)

name : https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c (string)

tags : [ »

0 : x_refsource_MISC (string)

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : CWE (string)

cweId : CWE-755 (string)

description : CWE-755: Improper Handling of Exceptional Conditions (string)

}

]

}

]

providerMetadata : { »

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

dateUpdated : 2024-11-04T21:47:12.170Z (string)

}

cveMetadata : { »

cveId : CVE-2024-51744 (string)

state : PUBLISHED (string)

dateUpdated : 2024-11-05T16:11:42.243Z (string)

dateReserved : 2024-10-31T14:12:45.789Z (string)

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

datePublished : 2024-11-04T21:47:12.170Z (string)

assignerShortName : GitHub_M (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"cveTags": [], "descriptions": [{"lang": "en", "value": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above."}, {"lang": "es", "value": "golang-jwt es una implementaci\u00f3n de Go de tokens web JSON. La documentaci\u00f3n poco clara del comportamiento de los errores en `ParseWithClaims` puede llevar a una situaci\u00f3n en la que los usuarios potencialmente no est\u00e9n verificando los errores como deber\u00edan. Especialmente, si un token est\u00e1 vencido y no es v\u00e1lido, los errores devueltos por `ParseWithClaims` devuelven ambos c\u00f3digos de error. Si los usuarios solo verifican `jwt.ErrTokenExpired` usando `error.Is`, ignorar\u00e1n el `jwt.ErrTokenSignatureInvalid` incorporado y, por lo tanto, potencialmente aceptar\u00e1n tokens no v\u00e1lidos. Se ha incorporado una soluci\u00f3n con la l\u00f3gica de manejo de errores de la rama `v5` a la rama `v4`. En esta l\u00f3gica, la funci\u00f3n `ParseWithClaims` regresar\u00e1 inmediatamente en situaciones \"peligrosas\" (por ejemplo, una firma no v\u00e1lida), lo que limita los errores combinados solo a situaciones en las que la firma es v\u00e1lida, pero la validaci\u00f3n posterior fall\u00f3 (por ejemplo, si la firma es v\u00e1lida, pero est\u00e1 vencida Y tiene la audiencia incorrecta). Esta correcci\u00f3n forma parte de la versi\u00f3n 4.5.1. Somos conscientes de que esto cambia el comportamiento de una funci\u00f3n establecida y no es 100 % compatible con versiones anteriores, por lo que actualizar a la versi\u00f3n 4.5.1 podr\u00eda da\u00f1ar el c\u00f3digo. En caso de que no pueda actualizar a la versi\u00f3n 4.5.0, aseg\u00farese de comprobar correctamente todos los errores (primero los \"peligrosos\"), para que no se encuentre en el caso detallado anteriormente."}], "id": "CVE-2024-51744", "lastModified": "2024-11-05T16:04:26.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-04T22:15:03.997", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c"}, {"source": "security-advisories@github.com", "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

}

1 : { »

lang : es (string)

value : golang-jwt es una implementación de Go de tokens web JSON. La documentación poco clara del comportamiento de los errores en `ParseWithClaims` puede llevar a una situación en la que los usuarios potencialmente no estén verificando los errores como deberían. Especialmente, si un token está vencido y no es válido, los errores devueltos por `ParseWithClaims` devuelven ambos códigos de error. Si los usuarios solo verifican `jwt.ErrTokenExpired` usando `error.Is`, ignorarán el `jwt.ErrTokenSignatureInvalid` incorporado y, por lo tanto, potencialmente aceptarán tokens no válidos. Se ha incorporado una solución con la lógica de manejo de errores de la rama `v5` a la rama `v4`. En esta lógica, la función `ParseWithClaims` regresará inmediatamente en situaciones "peligrosas" (por ejemplo, una firma no válida), lo que limita los errores combinados solo a situaciones en las que la firma es válida, pero la validación posterior falló (por ejemplo, si la firma es válida, pero está vencida Y tiene la audiencia incorrecta). Esta corrección forma parte de la versión 4.5.1. Somos conscientes de que esto cambia el comportamiento de una función establecida y no es 100 % compatible con versiones anteriores, por lo que actualizar a la versión 4.5.1 podría dañar el código. En caso de que no pueda actualizar a la versión 4.5.0, asegúrese de comprobar correctamente todos los errores (primero los "peligrosos"), para que no se encuentre en el caso detallado anteriormente. (string)

}

]

id : CVE-2024-51744 (string)

lastModified : 2024-11-05T16:04:26.053 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 3.1 (number)

baseSeverity : LOW (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 1.6 (number)

impactScore : 1.4 (number)

source : security-advisories@github.com (string)

type : Secondary (string)

}

]

}

published : 2024-11-04T22:15:03.997 (string)

references : [ »

0 : { »

source : security-advisories@github.com (string)

url : https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c (string)

}

1 : { »

source : security-advisories@github.com (string)

url : https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r (string)

}

]

sourceIdentifier : security-advisories@github.com (string)

vulnStatus : Awaiting Analysis (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-755 (string)

}

]

source : security-advisories@github.com (string)

type : Primary (string)

}

]

}

Show plain JSON

{"bugzilla": {"description": "golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", "id": "2323735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2323735"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-755", "details": ["golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above."], "name": "CVE-2024-51744", "package_state": [{"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-controller-rhel8", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-controller-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-git-cloner-rhel8", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-git-cloner-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-image-bundler-rhel8", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-image-bundler-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-image-processing-rhel8", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-image-processing-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-operator-bundle", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-rhel8-operator", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-waiters-rhel8", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-waiters-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-webhook-rhel8", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds/openshift-builds-webhook-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Fix deferred", "package_name": "openshift-builds-triggers-container", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Fix deferred", "package_name": "cert-manager/jetstack-cert-manager-acmesolver-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Fix deferred", "package_name": "cert-manager/jetstack-cert-manager-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Fix deferred", "package_name": "cryostat-tech-preview/cryostat-storage-rhel8", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Fix deferred", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Fix deferred", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Fix deferred", "package_name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch-rhel8-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/loki-rhel8-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Fix deferred", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Fix deferred", "package_name": "openshift-logging/lokistack-gateway-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:lvms:4", "fix_state": "Fix deferred", "package_name": "lvms4/lvms-must-gather-rhel9", "product_name": "Logical Volume Manager Storage"}, {"cpe": "cpe:/a:redhat:lvms:4", "fix_state": "Fix deferred", "package_name": "lvms4/lvms-rhel9-operator", "product_name": "Logical Volume Manager Storage"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Fix deferred", "package_name": "mta-discovery-addon-container", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Fix deferred", "package_name": "mta/mta-analyzer-addon-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Fix deferred", "package_name": "mta/mta-hub-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Fix deferred", "package_name": "rhmtc/openshift-migration-controller-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/agent-service-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-installer-agent-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-installer-controller-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-installer-reporter-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-installer-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-service-8-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-service-9-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/cluster-api-provider-azure-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/discovery-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/hive-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/hypershift-addon-rhel9-operator", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/hypershift-cli-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/hypershift-rhel9-operator", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/managedcluster-import-controller-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Fix deferred", "package_name": "oadp/oadp-mustgather-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Fix deferred", "package_name": "oadp/oadp-rhel8-operator", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Fix deferred", "package_name": "oadp/oadp-velero-plugin-for-csi-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Fix deferred", "package_name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Fix deferred", "package_name": "oadp/oadp-velero-restic-restore-helper-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Fix deferred", "package_name": "oadp/oadp-velero-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "helm", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "odo", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1-func-utils-rhel8-container", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1-knative-client-plugin-event-sender-rhel8-container", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/kn-cli-artifacts-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1-logic-rhel8-operator-container", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/serving-activator-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/serving-autoscaler-hpa-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/serving-autoscaler-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/serving-controller-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/serving-queue-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/serving-storage-version-migration-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/serving-webhook-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/pilot-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/proxyv2-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-prometheus-config-reloader-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-prometheus-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/endpoint-monitoring-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/grafana-dashboard-loader-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/metrics-collector-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/multicloud-integrations-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/multiclusterhub-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/multicluster-observability-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/rbac-query-proxy-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/subctl-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/thanos-rhel7", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "volsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "receptor", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-promtail-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Fix deferred", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Fix deferred", "package_name": "rhceph/rhceph-promtail-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-codeflare-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-data-science-pipelines-argo-argoexec-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-data-science-pipelines-argo-workflowcontroller-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-api-server-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-api-server-v2-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-artifact-manager-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-cache-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-driver-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-launcher-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-persistenceagent-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-persistenceagent-v2-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-scheduledworkflow-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-ml-pipelines-scheduledworkflow-v2-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "odh-training-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_cluster_manager_cli:1", "fix_state": "Fix deferred", "package_name": "ocm-cli-clients/ocm-cli-rhel9", "product_name": "Red Hat OpenShift Cluster Manager CLI"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "microshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/azure-kms-encryption-provider-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/bare-metal-event-relay-operator-bundle", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/cloud-network-config-controller-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ingress-node-firewall-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ingress-node-firewall-rhel9-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/numaresources-operator-bundle", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-agent-installer-api-server-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-agent-installer-csr-approver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-agent-installer-node-agent-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-agent-installer-orchestrator-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-aws-cluster-api-controllers-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-azure-cloud-controller-manager-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-azure-cloud-node-manager-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-azure-cluster-api-controllers-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-azure-disk-csi-driver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-azure-file-csi-driver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-azure-workload-identity-webhook-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-baremetal-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cloud-credential-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-api-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-capi-operator-container-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-capi-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-cloud-controller-manager-operator-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-control-plane-machine-set-operator-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-etcd-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-image-registry-rhel9-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-ingress-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-nfd-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-cluster-platform-operators-manager-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-coredns-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-deployer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-descheduler", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-docker-registry", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-etcd", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-helm-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-hyperkube-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-hypershift-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-ibm-vpc-block-csi-driver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-ibm-vpc-node-label-updater-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-installer-altinfra-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-installer-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-local-storage-diskmaker", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-local-storage-mustgather-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-local-storage-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-machine-api-provider-azure-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-node-feature-discovery", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-oauth-apiserver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-olm-catalogd-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-openshift-apiserver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-operator-registry-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-operator-sdk-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-powervs-block-csi-driver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-prometheus-config-reloader-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-prometheus-operator-admission-webhook-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-prometheus-rhel9-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-smb-csi-driver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-sriov-network-config-daemon", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-sriov-network-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-sriov-network-webhook", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-tests", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-vsphere-cloud-controller-manager-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/topology-aware-lifecycle-manager-operator-bundle", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4-wincw/windows-machine-config-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "ose-azure-acr-image-credential-provider", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "ose-powervs-machine-controllers-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "redhat/redhat-operator-index", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/mcg-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/ocs-client-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/odf-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/odr-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-codeflare-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-data-science-pipelines-operator-controller-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-ml-pipelines-api-server-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-ml-pipelines-artifact-manager-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-ml-pipelines-cache-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-ml-pipelines-persistenceagent-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-ml-pipelines-scheduledworkflow-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Fix deferred", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/gitops-operator-bundle", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-argocd-rhel9-container", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_service_on_aws:1", "fix_state": "Fix deferred", "package_name": "rosa", "product_name": "Red Hat OpenShift on AWS"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9", "product_name": "Red Hat Openshift Sandboxed Containers"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9", "product_name": "Red Hat Openshift Sandboxed Containers"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9", "product_name": "Red Hat Openshift Sandboxed Containers"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Fix deferred", "package_name": "osc-podvm-builder-container", "product_name": "Red Hat Openshift Sandboxed Containers"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/cluster-network-addons-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/cluster-network-addons-operator-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/kubevirt-ssp-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/kubevirt-ssp-operator-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/kubevirt-template-validator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/kubevirt-template-validator-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/vm-console-proxy-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "kubesecondarydns-rhel9-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-bridge-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-openshift-bridge-rhel8-operator", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/certificate-transparency-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/client-server-re-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/cosign-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/createctconfig-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/ctlog-managectroots-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/ec-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/fulcio-createcerts-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/gitsign-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/trillian-createdb-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/trillian-createtree-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/trillian-database-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/trillian-logserver-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/trillian-logsigner-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/trillian-redis-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/tuf-server-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2024-11-04T21:47:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-51744\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-51744\nhttps://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c\nhttps://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r"], "threat_severity": "Low"}

{

bugzilla : { »

description : golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (string)

id : 2323735 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2323735 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 3.1 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (string)

status : draft (string)

}

cwe : CWE-755 (string)

details : [ »

0 : golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above. (string)

]

name : CVE-2024-51744 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:openshift_builds:1 (string)