pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/c10f2/ALT-PU-2023-6181/definitions.json
pepelyaevip 9e8a5a2bb2 ALT Vulnerability
2024-02-14 09:47:22 +00:00

276 lines
13 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20236181",
"Version": "oval:org.altlinux.errata:def:20236181",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2023-6181: package `consul` update to version 1.16.2-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f2"
]
}
],
"References": [
{
"RefID": "ALT-PU-2023-6181",
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-6181",
"Source": "ALTPU"
},
{
"RefID": "BDU:2021-04800",
"RefURL": "https://bdu.fstec.ru/vul/2021-04800",
"Source": "BDU"
},
{
"RefID": "BDU:2022-01882",
"RefURL": "https://bdu.fstec.ru/vul/2022-01882",
"Source": "BDU"
},
{
"RefID": "BDU:2023-01973",
"RefURL": "https://bdu.fstec.ru/vul/2023-01973",
"Source": "BDU"
},
{
"RefID": "CVE-2020-25864",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-25864",
"Source": "CVE"
},
{
"RefID": "CVE-2021-28156",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-28156",
"Source": "CVE"
},
{
"RefID": "CVE-2021-3121",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121",
"Source": "CVE"
},
{
"RefID": "CVE-2021-32574",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-32574",
"Source": "CVE"
},
{
"RefID": "CVE-2021-37219",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-37219",
"Source": "CVE"
},
{
"RefID": "CVE-2021-38698",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-38698",
"Source": "CVE"
},
{
"RefID": "CVE-2021-41803",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-41803",
"Source": "CVE"
},
{
"RefID": "CVE-2021-41805",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-41805",
"Source": "CVE"
},
{
"RefID": "CVE-2022-24687",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-24687",
"Source": "CVE"
},
{
"RefID": "CVE-2022-29153",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-29153",
"Source": "CVE"
},
{
"RefID": "CVE-2022-40716",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-40716",
"Source": "CVE"
},
{
"RefID": "CVE-2023-0845",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-0845",
"Source": "CVE"
}
],
"Description": "This update upgrades consul to version 1.16.2-alt1. \nSecurity Fix(es):\n\n * BDU:2021-04800: Уязвимость функции библиотеки GoGo Protobuf, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2022-01882: Уязвимость прокси-сервера Envoy инструмента настройки сервисов Consul, позволяющая нарушителю оказать воздействие на целостность данных\n\n * BDU:2023-01973: Уязвимость инструмента настройки сервисов Consul и Consul Enterprise, связанная с ошибками разыменования указателей, позволяющая нарушителю вызвать аварийное завершение работы приложения\n\n * CVE-2020-25864: HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.\n\n * CVE-2021-28156: HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.\n\n * CVE-2021-3121: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.\n\n * CVE-2021-32574: HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.\n\n * CVE-2021-37219: HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.\n\n * CVE-2021-38698: HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.\n\n * CVE-2021-41803: HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.\"\n\n * CVE-2021-41805: HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.\n\n * CVE-2022-24687: HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3.\n\n * CVE-2022-29153: HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.\n\n * CVE-2022-40716: HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2.\"\n\n * CVE-2023-0845: Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2023-10-24"
},
"Updated": {
"Date": "2023-10-24"
},
"bdu": [
{
"Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"Cwe": "CWE-129",
"Href": "https://bdu.fstec.ru/vul/2021-04800",
"Impact": "High",
"Public": "20200807",
"CveID": "BDU:2021-04800"
},
{
"Cvss": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
"Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Cwe": "CWE-295",
"Href": "https://bdu.fstec.ru/vul/2022-01882",
"Impact": "High",
"Public": "20210715",
"CveID": "BDU:2022-01882"
},
{
"Cvss": "AV:N/AC:L/Au:M/C:N/I:N/A:C",
"Cvss3": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Cwe": "CWE-476",
"Href": "https://bdu.fstec.ru/vul/2023-01973",
"Impact": "Low",
"Public": "20230307",
"CveID": "BDU:2023-01973"
}
],
"Cves": [
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"Cwe": "CWE-79",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-25864",
"Impact": "Low",
"Public": "20210420",
"CveID": "CVE-2020-25864"
},
{
"Cvss": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Cwe": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-28156",
"Impact": "High",
"Public": "20210420",
"CveID": "CVE-2021-28156"
},
{
"Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"Cwe": "CWE-129",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121",
"Impact": "High",
"Public": "20210111",
"CveID": "CVE-2021-3121"
},
{
"Cvss": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Cwe": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-32574",
"Impact": "High",
"Public": "20210717",
"CveID": "CVE-2021-32574"
},
{
"Cvss": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-37219",
"Impact": "High",
"Public": "20210907",
"CveID": "CVE-2021-37219"
},
{
"Cvss": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"Cwe": "CWE-862",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-38698",
"Impact": "Low",
"Public": "20210907",
"CveID": "CVE-2021-38698"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"Cwe": "CWE-862",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-41803",
"Impact": "High",
"Public": "20220923",
"CveID": "CVE-2021-41803"
},
{
"Cvss": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-863",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-41805",
"Impact": "High",
"Public": "20211212",
"CveID": "CVE-2021-41805"
},
{
"Cvss": "AV:N/AC:M/Au:S/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Cwe": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-24687",
"Impact": "Low",
"Public": "20220224",
"CveID": "CVE-2022-24687"
},
{
"Cvss": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Cwe": "CWE-918",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-29153",
"Impact": "High",
"Public": "20220419",
"CveID": "CVE-2022-29153"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"Cwe": "CWE-252",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-40716",
"Impact": "Low",
"Public": "20220923",
"CveID": "CVE-2022-40716"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Cwe": "CWE-476",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-0845",
"Impact": "Low",
"Public": "20230309",
"CveID": "CVE-2023-0845"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:5001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20236181001",
"Comment": "consul is earlier than 0:1.16.2-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink