Threats Tagged 'cve-2025-26791'

A security update for Red Hat Ansible Automation Platform 2. 5 addresses a moderate severity vulnerability identified as CVE-2025-26791. This vulnerability is a mutation-based Cross-Site Scripting (XSS) issue in the automation-gateway component caused by improper handling of template literals in DOMPurify. The update includes a fix for this vulnerability along with multiple bug fixes and improvements across the platform components. No known exploits in the wild have been reported. The update is available for affected Red Hat Ansible Automation Platform 2. 5 versions on RHEL 8 and 9.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.17.15. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2025:0876 Security Fix(es): * golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338) * body-parser: Denial of Service Vulnerability in body-parser (CVE-2024-45590) * dompurify: DOMPurify vulnerable to tampering by prototype pollution (CVE-2024-48910) * jinja2: Jinja has a sandbox breakout through malicious filenames (CVE-2024-56201) * express: Improper Input Handling in Express Redirects (CVE-2024-43796) * send: Code Execution Vulnerability in Send Library (CVE-2024-43799) * serve-static: Improper Sanitization in serve-static (CVE-2024-43800) * path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296) * path-to-regexp: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x (CVE-2024-52798) * nanoid: nanoid mishandles non-integer values (CVE-2024-55565) * jinja2: Jinja has a sandbox breakout through indirect reference to format method (CVE-2024-56326) * cross-spawn: regular expression denial of service (CVE-2024-21538) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html

The RHTAS Operator can be used with OpenShift Container Platform 4.14, 4.15, 4.16, 4.17, and 4.18

Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development. The 3.21 release is based on Eclipse Che 7.102 and uses the DevWorkspace engine to provide support for workspaces based on devfile v2.1 and v2.2. Users still using the v1 standard should migrate as soon as possible. https://devfile.io/docs/2.2.0/migrating-to-devfile-v2 Dev Spaces releases support the latest two OpenShift 4 EUS releases. Users are expected to update to newer OpenShift releases in order to continue to get Dev Spaces updates. https://access.redhat.com/support/policy/updates/openshift#devspaces Security Fix(es): devspaces-code - tar-fs: link following and path traversal via maliciously crafted tar file (CVE-2024-12905) devspaces-traefik - traefik: HTTP client can manipulate custom HTTP headers that are added by Traefik (CVE-2024-45410) - golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto (CVE-2024-45337) - golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869) - golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204)

VolSync v0.11.2 is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying the VolSync operator, it can create and maintain copies of your persistent data. For more information about VolSync, see: https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync or the VolSync open source community website at: https://volsync.readthedocs.io/en/stable/ This advisory contains enhancements and updates to the VolSync container images. Security fix(es): * golang.org/x/oauth2: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (CVE-2025-22868) * golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869)