Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 510
Alerts This Week
Warning Icon 1 510

Red Hat Migration Toolkit 1.7.4 RHSA-2022:6429-01 Critical Auth Bypass

red hat
Calendar Grey September 13, 2022
Dist Redhat Esm H88
Crucial enhancements in the Migration Toolkit for Containers (MTC) target severe vulnerabilities and offer essential remedies.
The Migration Toolkit for Containers (MTC) 1.7.4 is now available

Solution

For details on how to install and use MTC, refer to:

https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/migration_toolkit_for_containers/installing-mtc

Summary

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
Security Fix(es):
* nodejs-url-parse: authorization bypass through user-controlled key (CVE-2022-0512)
* npm-url-parse: Authorization bypass through user-controlled key (CVE-2022-0686)
* npm-url-parse: authorization bypass through user-controlled key (CVE-2022-0691)
* eventsource: Exposure of Sensitive Information (CVE-2022-1650)
* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500)
* nodejs-lodash: command injection via template (CVE-2021-23337)
* npm-url-parse: Authorization Bypass Through User-Controlled Key (CVE-2022-0639)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-8559 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-15586 https://access.redhat.com/security/cve/CVE-2020-16845 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-28493 https://access.redhat.com/security/cve/CVE-2020-28500 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-20095 https://access.redhat.com/security/cve/CVE-2021-20231 Read the Full Advisory

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2022:6429-01
Product: Red Hat Migration Toolkit
Issue date: 2022-09-13

Topic

The Migration Toolkit for Containers (MTC) 1.7.4 is now available.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1928937 - CVE-2021-23337 nodejs-lodash: command injection via template

1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions

2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key

2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key

2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key

2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key

2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.