Threats Tagged 'cve-2024-21536'

Red Hat OpenShift Data Foundation 4. 15. 14 includes a bug fix update addressing multiple security vulnerabilities across various components such as serialize-javascript, body-parser, http-proxy-middleware, and others. These vulnerabilities include cross-site scripting (XSS), denial of service (DoS), prototype pollution, and URL validation issues. The update is classified as important and targets Red Hat OpenShift Data Foundation running on Red Hat Enterprise Linux 9 across multiple architectures. The advisory references 12 CVEs fixed in this release, including CVE-2024-11831. No known exploits in the wild have been reported. Users are advised to apply this update after ensuring all previous errata are applied.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4. 6. 5 addresses multiple security vulnerabilities that could lead to denial of service conditions. The fixed flaws include a denial of service via unhandled promise rejections in the http-proxy-middleware component (CVE-2024-21536), excessive memory allocation during JWT header parsing in jwt-go (CVE-2025-30204), and prototype pollution in redoc allowing denial of service through crafted payloads (CVE-2024-57083). These issues were resolved in the RHACS 4. 6. 5 patch release. Users of earlier RHACS 4. 6 versions are advised to upgrade to this release. No known exploits in the wild have been reported at this time.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) version 4. 7. 2 addresses multiple security vulnerabilities including denial of service issues in the http-proxy-middleware and redoc packages, and an excessive memory allocation vulnerability in the golang-jwt package. These vulnerabilities could impact the availability and stability of the affected components. Red Hat has released updated images to remediate these issues and advises users to upgrade to RHACS 4. 7. 2. The update is rated with an Important security impact by Red Hat Product Security. No known exploits are reported in the wild at this time.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4. 5. 9 includes important security updates addressing multiple vulnerabilities, including a denial of service flaw in the http-proxy-middleware package (CVE-2024-21536), a prototype pollution vulnerability in redoc (CVE-2024-57083), and a flaw in the golang-jwt implementation of JSON Web Tokens (CVE-2025-30204). These vulnerabilities could lead to denial of service or excessive memory allocation. The update also fixes related bugs for consistency in compliance table aggregation fields. Users of earlier RHACS 4. 5 versions are advised to upgrade to 4. 5. 9 to apply these fixes.

OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift DataFoundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multi-cloud data management service with an S3 compatible API. Security Fix(es): * express: cause malformed URLs to be evaluated (CVE-2024-29041) * npm-serialize-javascript: Cross-site Scripting (XSS) in serialize-javascript (CVE-2024-11831) * http-proxy-middleware: Denial of Service (CVE-2024-21536) * go-jose: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868) * golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869) * golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multi-cloud data management service with an S3 compatible API.

OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift DataFoundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multi-cloud data management service with an S3 compatible API. Security Fix(es): * express: cause malformed URLs to be evaluated (CVE-2024-29041) * nodejs-async: Regular expression denial of service while parsing function in autoinject (CVE-2024-39249) * body-parser: Denial of Service Vulnerability in body-parser (CVE-2024-45590) * npm-serialize-javascript: Cross-site Scripting (XSS) in serialize-javascript (CVE-2024-11831) * http-proxy-middleware: Denial of Service (CVE-2024-21536) * golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338) * golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Security Fix(es) from Bugzilla: * golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868) * golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204) * http-proxy-middleware: Denial of Service (CVE-2024-21536) * cross-spawn: regular expression denial of service (CVE-2024-21538) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.