CVE-2023-26159 - Vulnerability Details

CVE-2023-26159 - follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Follow-redirects	Follow Redirects
Redhat	Acm Cluster Observability Operator Container Native Virtualization Logging Migration Toolkit Applications Migration Toolkit Runtimes Migration Toolkit Virtualization Multicluster Engine Network Observ Optr Openshift Openshift Data Foundation Openshift Distributed Tracing Service Mesh

Configuration 1 [-]

cpe:2.3:a:follow-redirects:follow_redirects:*:*:*:*:*:node.js:*:*

Package	CPE	Advisory	Released Date
Migration Toolkit for Virtualization 2.5
migration-toolkit-virtualization/mtv-console-plugin-rhel9:2.5.5-3	cpe:/a:redhat:migration_toolkit_virtualization:2.5::el9	RHBA-2024:0928	2024-02-20T00:00:00Z
MTA-6.2-RHEL-8
mta/mta-rhel8-operator:6.2.2-3	cpe:/a:redhat:migration_toolkit_applications:6.2::el8	RHSA-2024:1027	2024-02-28T00:00:00Z
MTA-6.2-RHEL-9
mta/mta-hub-rhel9:6.2.2-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-operator-bundle:6.2.2-5	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-pathfinder-rhel9:6.2.2-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-ui-rhel9:6.2.2-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-windup-addon-rhel9:6.2.2-3	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:1027	2024-02-28T00:00:00Z
mta/mta-ui-rhel9:6.2.3-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:3989	2024-06-20T00:00:00Z
MTA-7.0-RHEL-9
mta/mta-cli-rhel9:7.0.3-16	cpe:/a:redhat:migration_toolkit_applications:7.0::el9	RHSA-2024:3316	2024-05-23T00:00:00Z
mta/mta-ui-rhel9:7.0.3-13	cpe:/a:redhat:migration_toolkit_applications:7.0::el9	RHSA-2024:3316	2024-05-23T00:00:00Z
MTR 1.2.4
follow-redirects	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:0720	2024-02-07T00:00:00Z
multicluster engine for Kubernetes 2.4 for RHEL 8
multicluster-engine/console-mce-rhel8:v2.4.5-25	cpe:/a:redhat:multicluster_engine:2.4::el8	RHBA-2024:3555	2024-06-03T00:00:00Z
multicluster-engine/multicluster-engine-console-mce-rhel8:v2.4.5-25	cpe:/a:redhat:multicluster_engine:2.4::el8	RHBA-2024:3555	2024-06-03T00:00:00Z
NETWORK-OBSERVABILITY-1.5.0-RHEL-9
network-observability/network-observability-console-plugin-rhel9:v1.5.0-89	cpe:/a:redhat:network_observ_optr:1.5.0::el9	RHSA-2024:0853	2024-02-21T00:00:00Z
Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8
rhacm2/console-rhel8:v2.9.4-22	cpe:/a:redhat:acm:2.9::el8	RHBA-2024:3593	2024-06-04T00:00:00Z
Red Hat OpenShift Container Platform 4.15
openshift4/ose-monitoring-plugin-rhel8:v4.15.0-202402082307.p0.gc3d2272.assembly.stream.el8	cpe:/a:redhat:openshift:4.15::el8	RHSA-2023:7198	2024-02-27T00:00:00Z
Red Hat Openshift distributed tracing 3.1
rhosdt/jaeger-agent-rhel8:1.53.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/jaeger-all-in-one-rhel8:1.53.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/jaeger-collector-rhel8:1.53.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/jaeger-es-index-cleaner-rhel8:1.53.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/jaeger-es-rollover-rhel8:1.53.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/jaeger-ingester-rhel8:1.53.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/jaeger-operator-bundle:1.53.0-15	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/jaeger-query-rhel8:1.53.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/jaeger-rhel8-operator:1.53.0-3	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/opentelemetry-collector-rhel8:0.93.0-3	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/opentelemetry-operator-bundle:0.93.0-8	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/opentelemetry-rhel8-operator:0.93.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/opentelemetry-target-allocator-rhel8:0.93.0-3	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/tempo-gateway-opa-rhel8:1.0.0-1	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/tempo-gateway-rhel8:1.0.0-1	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/tempo-operator-bundle:0.8.0-8	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/tempo-query-rhel8:0.8.0-3	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/tempo-rhel8:2.3.1-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
rhosdt/tempo-rhel8-operator:0.8.0-2	cpe:/a:redhat:openshift_distributed_tracing:3.1::el8	RHSA-2024:0998	2024-02-27T00:00:00Z
Red Hat OpenShift Service Mesh 2.5 for RHEL 8
openshift-service-mesh/grafana-rhel8:2.5.1-2	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/istio-cni-rhel8:2.5.1-8	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/istio-must-gather-rhel8:2.5.1-3	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/istio-rhel8-operator:2.5.1-7	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/kiali-ossmc-rhel8:1.73.7-2	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/kiali-rhel8:1.73.7-5	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/kiali-rhel8-operator:1.73.7-4	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/pilot-rhel8:2.5.1-8	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/proxyv2-rhel8:2.5.1-8	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
openshift-service-mesh/ratelimit-rhel8:2.5.1-2	cpe:/a:redhat:service_mesh:2.5::el8	RHSA-2024:1946	2024-04-22T00:00:00Z
RHEL-9-CNV-4.15
container-native-virtualization/kubevirt-console-plugin-rhel9:v4.15.2-383	cpe:/a:redhat:container_native_virtualization:4.15::el9	RHSA-2024:3314	2024-05-23T00:00:00Z
RHODF-4.15-RHEL-9
odf4/odf-console-rhel9:v4.15.0-57	cpe:/a:redhat:openshift_data_foundation:4.15::el9	RHSA-2024:1383	2024-03-19T00:00:00Z
odf4/odf-multicluster-console-rhel9:v4.15.0-54	cpe:/a:redhat:openshift_data_foundation:4.15::el9	RHSA-2024:1383	2024-03-19T00:00:00Z
RHOL-5.8-RHEL-9
openshift-logging/logging-view-plugin-rhel9:v5.8.2-3	cpe:/a:redhat:logging:5.8::el9	RHSA-2024:0271	2024-01-17T00:00:00Z
Cluster Observability Operator 1.0.0
registry.redhat.io/cluster-observability-operator/cluster-observability-rhel8-operator:sha256:d186268cdfcf15cc98e28555eef9b0cb6d082e3a9561346f05da62dd74bfdf32	cpe:/a:redhat:cluster_observability_operator:1.0::el8	RHSA-2025:1609	2025-02-17T00:00:00Z

References

Link	Providers
https://github.com/follow-redirects/follow-redirects/issues/235
https://github.com/follow-redirects/follow-redirects/pull/236
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/
https://nvd.nist.gov/vuln/detail/CVE-2023-26159
https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137
https://www.cve.org/CVERecord?id=CVE-2023-26159

History

Tue, 18 Feb 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat cluster Observability Operator
CPEs		cpe:/a:redhat:cluster_observability_operator:1.0::el8
Vendors & Products		Redhat cluster Observability Operator

Mon, 11 Nov 2024 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat acm Redhat multicluster Engine
CPEs		cpe:/a:redhat:acm:2.9::el8 cpe:/a:redhat:multicluster_engine:2.4::el8
Vendors & Products		Redhat acm Redhat multicluster Engine

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2024-01-02T05:00:00.659Z

Updated: 2025-02-13T16:44:52.151Z

Reserved: 2023-02-20T10:28:48.931Z

Link: CVE-2023-26159

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-02T05:15:08.630

Modified: 2024-11-21T07:50:54.353

Link: CVE-2023-26159

Redhat

Severity : Moderate

Publid Date: 2024-01-02T00:00:00Z

Links: CVE-2023-26159 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26159", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.931Z", "datePublished": "2024-01-02T05:00:00.659Z", "dateUpdated": "2025-02-13T16:44:52.151Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"}}], "credits": [{"value": "Kim Donggyu", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-01-23T03:06:22.806Z"}, "descriptions": [{"value": "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"}, {"url": "https://github.com/follow-redirects/follow-redirects/issues/235"}, {"url": "https://github.com/follow-redirects/follow-redirects/pull/236"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"}], "affected": [{"product": "follow-redirects", "versions": [{"version": "0", "lessThan": "1.15.4", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.643Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137", "tags": ["x_transferred"]}, {"url": "https://github.com/follow-redirects/follow-redirects/issues/235", "tags": ["x_transferred"]}, {"url": "https://github.com/follow-redirects/follow-redirects/pull/236", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:follow-redirects:follow_redirects:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5E9B14E8-F184-4F4C-8275-8FE1D093D258", "versionEndExcluding": "1.15.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches."}, {"lang": "es", "value": "Las versiones del paquete follow-redirects anteriores a la 1.15.4 son vulnerables a una validaci\u00f3n de entrada incorrecta debido al manejo inadecuado de las URL por parte de la funci\u00f3n url.parse(). Cuando la nueva URL() arroja un error, se puede manipular para malinterpretar el nombre de host. Un atacante podr\u00eda aprovechar esta debilidad para redirigir el tr\u00e1fico a un sitio malicioso, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n, ataques de phishing u otras violaciones de seguridad."}], "id": "CVE-2023-26159", "lastModified": "2024-11-21T07:50:54.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-02T05:15:08.630", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/follow-redirects/follow-redirects/issues/235"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/follow-redirects/follow-redirects/pull/236"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/follow-redirects/follow-redirects/issues/235"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/follow-redirects/follow-redirects/pull/236"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZ425BFKNBQ6AK7I5SAM56TWON5OF2XM/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2024:0928", "cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el9", "package": "migration-toolkit-virtualization/mtv-console-plugin-rhel9:2.5.5-3", "product_name": "Migration Toolkit for Virtualization 2.5", "release_date": "2024-02-20T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el8", "package": "mta/mta-rhel8-operator:6.2.2-3", "product_name": "MTA-6.2-RHEL-8", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-hub-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-operator-bundle:6.2.2-5", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-pathfinder-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-ui-rhel9:6.2.2-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1027", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.2-3", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-ui-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-cli-rhel9:7.0.3-16", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-ui-rhel9:7.0.3-13", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:0720", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "follow-redirects", "product_name": "MTR 1.2.4", "release_date": "2024-02-07T00:00:00Z"}, {"advisory": "RHBA-2024:3555", "cpe": "cpe:/a:redhat:multicluster_engine:2.4::el8", "package": "multicluster-engine/console-mce-rhel8:v2.4.5-25", "product_name": "multicluster engine for Kubernetes 2.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHBA-2024:3555", "cpe": "cpe:/a:redhat:multicluster_engine:2.4::el8", "package": "multicluster-engine/multicluster-engine-console-mce-rhel8:v2.4.5-25", "product_name": "multicluster engine for Kubernetes 2.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:0853", "cpe": "cpe:/a:redhat:network_observ_optr:1.5.0::el9", "package": "network-observability/network-observability-console-plugin-rhel9:v1.5.0-89", "product_name": "NETWORK-OBSERVABILITY-1.5.0-RHEL-9", "release_date": "2024-02-21T00:00:00Z"}, {"advisory": "RHBA-2024:3593", "cpe": "cpe:/a:redhat:acm:2.9::el8", "package": "rhacm2/console-rhel8:v2.9.4-22", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8", "release_date": "2024-06-04T00:00:00Z"}, {"advisory": "RHSA-2023:7198", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift4/ose-monitoring-plugin-rhel8:v4.15.0-202402082307.p0.gc3d2272.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-agent-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-all-in-one-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-collector-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-es-index-cleaner-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-es-rollover-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-ingester-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-operator-bundle:1.53.0-15", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-query-rhel8:1.53.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/jaeger-rhel8-operator:1.53.0-3", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/opentelemetry-collector-rhel8:0.93.0-3", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/opentelemetry-operator-bundle:0.93.0-8", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/opentelemetry-rhel8-operator:0.93.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/opentelemetry-target-allocator-rhel8:0.93.0-3", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-gateway-opa-rhel8:1.0.0-1", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-gateway-rhel8:1.0.0-1", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-operator-bundle:0.8.0-8", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-query-rhel8:0.8.0-3", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-rhel8:2.3.1-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:0998", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.1::el8", "package": "rhosdt/tempo-rhel8-operator:0.8.0-2", "product_name": "Red Hat Openshift distributed tracing 3.1", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/grafana-rhel8:2.5.1-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.5.1-3", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/istio-rhel8-operator:2.5.1-7", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-ossmc-rhel8:1.73.7-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8:1.73.7-5", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/kiali-rhel8-operator:1.73.7-4", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/pilot-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.5.1-8", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:1946", "cpe": "cpe:/a:redhat:service_mesh:2.5::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.5.1-2", "product_name": "Red Hat OpenShift Service Mesh 2.5 for RHEL 8", "release_date": "2024-04-22T00:00:00Z"}, {"advisory": "RHSA-2024:3314", "cpe": "cpe:/a:redhat:container_native_virtualization:4.15::el9", "package": "container-native-virtualization/kubevirt-console-plugin-rhel9:v4.15.2-383", "product_name": "RHEL-9-CNV-4.15", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-console-rhel9:v4.15.0-57", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.15.0-54", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:0271", "cpe": "cpe:/a:redhat:logging:5.8::el9", "package": "openshift-logging/logging-view-plugin-rhel9:v5.8.2-3", "product_name": "RHOL-5.8-RHEL-9", "release_date": "2024-01-17T00:00:00Z"}, {"advisory": "RHSA-2025:1609", "cpe": "cpe:/a:redhat:cluster_observability_operator:1.0::el8", "package": "registry.redhat.io/cluster-observability-operator/cluster-observability-rhel8-operator:sha256:d186268cdfcf15cc98e28555eef9b0cb6d082e3a9561346f05da62dd74bfdf32", "product_name": "Cluster Observability Operator 1.0.0", "release_date": "2025-02-17T00:00:00Z"}], "bugzilla": {"description": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()", "id": "2256413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.", "An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-26159", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Fix deferred", "package_name": "follow-redirects", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-ui-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Not affected", "package_name": "workload-availability/node-remediation-console-rhel8", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-hub", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3x-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "follow-redirects", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:discovery:1", "fix_state": "Not affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "follow-redirects", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "console-dashboards-plugin-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/nmstate-console-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Will not fix", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Will not fix", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/console-plugin-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/gitops-operator-bundle", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "follow-redirects", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "nodejs-redhat-cloud-services-frontend-components", "product_name": "Red Hat Satellite 6"}], "public_date": "2024-01-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-26159\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-26159"], "statement": "follow-redirects is a transitive dependency of Grafana, and does not affect Red Hat Enterprise Linux 8.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by input validation vulnerabilities. Security testing and evaluation standards are implemented within the environment to rigorously test input validation mechanisms during the development lifecycle, while static code analysis identifies potential input validation vulnerabilities by default. Process isolation ensures that processes handling potentially malicious or unvalidated inputs run in isolated environments by separating execution domains for each process. Malicious code protections, such as IPS/IDS and antimalware solutions, help detect and mitigate malicious payloads stemming from input validation vulnerabilities. Finally, robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks further.", "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object