Threats Tagged 'cve-2024-45336'

This advisory addresses multiple vulnerabilities in the Logging subsystem for Red Hat OpenShift 6. 1. 4. The issues include non-linear parsing of case-insensitive content in golang. org/x/net/html (CVE-2024-45338), sensitive HTTP headers being incorrectly sent after cross-domain redirects (CVE-2024-45336), and a denial of service vulnerability in Go JOSE's parsing (CVE-2025-27144). These vulnerabilities affect various containers within the logging stack such as logging-loki, cluster-logging-operator, lokistack-gateway, and opa-openshift. The advisory provides upgrade instructions to apply fixes. No known exploits in the wild have been reported. The severity is rated high by Red Hat. Patch status is not explicitly stated but upgrade instructions indicate that fixes are available.

Collector with the supported components for a Red Hat build of OpenTelemetry Security Fix(es): * golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336) * go-jose: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868) * github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input (CVE-2025-29786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Collector with the supported components for a Red Hat build of OpenTelemetry Security Fix(es): * golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336) * go-jose: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868) * github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input (CVE-2025-29786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat Advanced Cluster Management for Kubernetes 2.11.7 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.11/html/release_notes/ Security fixes: * golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869) * golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204) * crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec (CVE-2025-22866) * golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336)

Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. For more information about Submariner, see the Submariner open source community website at: https://submariner.io/. This advisory contains bug fixes and enhancements to the Submariner container images. Security fix(es): * quic-go: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux (CVE-2024-53259) * golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336) * crypto/internal/nistec: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec (CVE-2025-22866) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (CVE-2025-22868) * golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204)