Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Blue Ocean Plugin
*   Config File Provider Plugin
*   Delphix Plugin
*   Docker Swarm Plugin
*   Favorite View Plugin
*   Flaky Test Handler Plugin
*   Folders Plugin
*   Fortify Plugin
*   Gogs Plugin
*   Maven Artifact ChoiceListProvider (Nexus) Plugin
*   NodeJS Plugin
*   Shortcut Job Plugin
*   Tuleap Authentication Plugin

**Descriptions****CSRF vulnerability in Folders Plugin may approve unsandboxed scripts**

**SECURITY-3106 / CVE-2023-40336**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts.

An improvement added in Script Security Plugin 1265.va\_fb\_290b\_4b\_d34 and 1251.1253.v4e638b\_e3b\_221 prevents automatic approval of unsandboxed scripts when administrators copy jobs, significantly reducing the impact of this vulnerability.

Folders Plugin 6.848.ve3b\_fd7839a\_81 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability in Folders Plugin**

**SECURITY-3105 / CVE-2023-40337**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy a view inside a folder.

Folders Plugin 6.848.ve3b\_fd7839a\_81 requires POST requests for the affected HTTP endpoint.

**Information disclosure in Folders Plugin**

**SECURITY-3109 / CVE-2023-40338**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.

In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.

Folders Plugin 6.848.ve3b\_fd7839a\_81 does not display the absolute path of a log file in the error message.

**Improper masking of credentials in Config File Provider Plugin**

**SECURITY-3090 / CVE-2023-40339**  
**Severity (CVSS):** Medium  
**Affected plugin: config-file-provider**  
**Description:**

Config File Provider Plugin 952.va\_544a\_6234b\_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they’re written to the build log.

Config File Provider Plugin 953.v0432a\_802e4d2 masks credentials configured in configuration files if they appear in the build log.

**Improper masking of credentials in NodeJS Plugin**

**SECURITY-3196 / CVE-2023-40340**  
**Severity (CVSS):** Medium  
**Affected plugin: nodejs**  
**Description:**

NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file.

NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

NodeJS Plugin 1.6.0.1 masks credentials specified in the Npm config file in Pipeline build logs.

**CSRF vulnerability in Blue Ocean Plugin allows capturing credentials**

**SECURITY-3116 / CVE-2023-40341**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

Blue Ocean Plugin 1.27.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

This issue is due to an incomplete fix of SECURITY-2502.

Blue Ocean Plugin 1.27.5.1 uses the configured SCM URL, instead of a user-specified URL provided as a parameter to the HTTP endpoint.

**CSRF vulnerability and missing permission checks in Fortify Plugin allow capturing credentials**

**SECURITY-3115 / CVE-2023-4301 (CSRF), CVE-2023-4302 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: fortify**  
**Description:**

Fortify Plugin 22.1.38 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Fortify Plugin 22.2.39 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**HTML injection vulnerability in Fortify Plugin**

**SECURITY-3140 / CVE-2023-4303**  
**Severity (CVSS):** Medium  
**Affected plugin: fortify**  
**Description:**

Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method. This results in an HTML injection vulnerability.

Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected.

Fortify Plugin 22.2.39 removes HTML tags from the error message.

**Stored XSS vulnerability in Flaky Test Handler Plugin**

**SECURITY-3223 / CVE-2023-40342**  
**Severity (CVSS):** High  
**Affected plugin: flaky-test-handler**  
**Description:**

Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

Flaky Test Handler Plugin 1.2.3 escapes JUnit test contents when showing them on the Jenkins UI.

**Non-constant time token comparison in Tuleap Authentication Plugin**

**SECURITY-3229 / CVE-2023-40343**  
**Severity (CVSS):** Low  
**Affected plugin: tuleap-oauth**  
**Description:**

Tuleap Authentication Plugin 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Tuleap Authentication Plugin 1.1.21 uses a constant-time comparison when validating authentication tokens.

**Missing permission check in Delphix Plugin allows enumerating credentials IDs**

**SECURITY-3214 (1) / CVE-2023-40344**  
**Severity (CVSS):** Medium  
**Affected plugin: delphix**  
**Description:**

Delphix Plugin 3.0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Delphix Plugin 3.0.3 requires the appropriate permissions.

**Exposure of system-scoped credentials in Delphix Plugin**

**SECURITY-3214 (2) / CVE-2023-40345**  
**Severity (CVSS):** Medium  
**Affected plugin: delphix**  
**Description:**

Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Overall/Read permission to access and capture credentials they are not entitled to.

Delphix Plugin 3.0.3 defines the appropriate context for credentials lookup.

**Stored XSS vulnerability in Shortcut Job Plugin**

**SECURITY-3071 / CVE-2023-40346**  
**Severity (CVSS):** High  
**Affected plugin: shortcut-job**  
**Description:**

Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.

Shortcut Job Plugin 0.5 escapes the shortcut redirection URL.

**Exposure of system-scoped credentials in Maven Artifact ChoiceListProvider (Nexus) Plugin**

**SECURITY-3153 / CVE-2023-40347**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-artifact-choicelistprovider**  
**Description:**

Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

**Unsafe default behavior and information disclosure in Gogs Plugin webhook**

**SECURITY-2894 / CVE-2023-40348 (information disclosure), CVE-2023-40349 (insecure default)**  
**Severity (CVSS):** Medium  
**Affected plugin: gogs-webhook**  
**Description:**

Gogs Plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name.

Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it.

**Stored XSS vulnerability in Docker Swarm Plugin**

**SECURITY-2811 / CVE-2023-40350**  
**Severity (CVSS):** High  
**Affected plugin: docker-swarm**  
**Description:**

Docker Swarm Plugin processes Docker responses to generate the Docker Swarm Dashboard view.

Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.

**CSRF vulnerability in Favorite View Plugin**

**SECURITY-3201 / CVE-2023-40351**  
**Severity (CVSS):** Medium  
**Affected plugin: favorite-view**  
**Description:**

Favorite View Plugin 5.v77a\_37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to add or remove views from another user’s favorite views tab bar.

**Severity**

*   SECURITY-2811: High
*   SECURITY-2894: Medium
*   SECURITY-3071: High
*   SECURITY-3090: Medium
*   SECURITY-3105: Medium
*   SECURITY-3106: High
*   SECURITY-3109: Medium
*   SECURITY-3115: Medium
*   SECURITY-3116: Medium
*   SECURITY-3140: Medium
*   SECURITY-3153: Medium
*   SECURITY-3196: Medium
*   SECURITY-3201: Medium
*   SECURITY-3214 (1): Medium
*   SECURITY-3214 (2): Medium
*   SECURITY-3223: High
*   SECURITY-3229: Low

**Affected Versions**

*   **Blue Ocean Plugin** up to and including 1.27.5
*   **Config File Provider Plugin** up to and including 952.va\_544a\_6234b\_46
*   **Delphix Plugin** up to and including 3.0.2
*   **Docker Swarm Plugin** up to and including 1.11
*   **Favorite View Plugin** up to and including 5.v77a\_37f62782d
*   **Flaky Test Handler Plugin** up to and including 1.2.2
*   **Folders Plugin** up to and including 6.846.v23698686f0f6
*   **Fortify Plugin** up to and including 22.1.38
*   **Gogs Plugin** up to and including 1.0.15
*   **Maven Artifact ChoiceListProvider (Nexus) Plugin** up to and including 1.14
*   **NodeJS Plugin** up to and including 1.6.0
*   **Shortcut Job Plugin** up to and including 0.4
*   **Tuleap Authentication Plugin** up to and including 1.1.20

**Fix**

*   **Blue Ocean Plugin** should be updated to version 1.27.5.1
*   **Config File Provider Plugin** should be updated to version 953.v0432a\_802e4d2
*   **Delphix Plugin** should be updated to version 3.0.3
*   **Flaky Test Handler Plugin** should be updated to version 1.2.3
*   **Folders Plugin** should be updated to version 6.848.ve3b\_fd7839a\_81
*   **Fortify Plugin** should be updated to version 22.2.39
*   **NodeJS Plugin** should be updated to version 1.6.0.1
*   **Shortcut Job Plugin** should be updated to version 0.5
*   **Tuleap Authentication Plugin** should be updated to version 1.1.21

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Docker Swarm Plugin
*   Favorite View Plugin
*   Gogs Plugin
*   Maven Artifact ChoiceListProvider (Nexus) Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3116, SECURITY-3153
*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3201, SECURITY-3223
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-3214 (1), SECURITY-3214 (2)
*   **James Nord, CloudBees, Inc.** for SECURITY-3090, SECURITY-3196
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3071, SECURITY-3105, SECURITY-3106, SECURITY-3109, SECURITY-3140
*   **Kevin Guerroudj, CloudBees, Inc. and Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2811
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3229
*   **Kevin Guerroudj, CloudBees, Inc. and, independently, Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3115
*   **anhnm99** for SECURITY-2894

CVE-2023-40349: Jenkins Security Advisory 2023-08-16

Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.

CVE-2023-40339: Jenkins Security Advisory 2023-08-16

Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.

CVE-2023-40346: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.

CVE-2023-40337: Jenkins Security Advisory 2023-08-16

A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2023-40344: Jenkins Security Advisory 2023-08-16

Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

CVE-2023-40342: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

CVE-2023-40341: Jenkins Security Advisory 2023-08-16

Red Hat Security Advisory 2023-4625-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh Containers for 2.4.2 security update  
Advisory ID:       RHSA-2023:4625-01  
Product:           Red Hat OpenShift Service Mesh  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4625  
Issue date:        2023-08-11  
CVE Names:         CVE-2023-2828 CVE-2023-35941 CVE-2023-35943   
                   CVE-2023-35944   
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.4.2 Containers

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio  
service mesh project, tailored for installation into an on-premise  
OpenShift Container Platform installation.

Security Fix(es):

* envoy: OAuth2 credentials exploit with permanent validity  
(CVE-2023-35941)

* envoy: Incorrect handling of HTTP requests and responses with mixed case  
schemes (CVE-2023-35944)

* envoy: CORS filter segfault when origin header is removed  
(CVE-2023-35943)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2217977 - CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity  
2217985 - CVE-2023-35944 envoy: Incorrect handling of HTTP requests and responses with mixed case schemes  
2217987 - CVE-2023-35943 envoy: CORS filter segfault when origin header is removed

5. References:

https://access.redhat.com/security/cve/CVE-2023-2828  
https://access.redhat.com/security/cve/CVE-2023-35941  
https://access.redhat.com/security/cve/CVE-2023-35943  
https://access.redhat.com/security/cve/CVE-2023-35944  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk1pgEAAoJENzjgjWX9erEdf8P/R2dp7OtPRZPuUU1x21pHihH  
Ks8Pu3HrM3aWGm6GBBEeEJ/kw+S/Jjiy+L06w1NuzemAUfP/tTkqlRTjyqmCZpwk  
JjwmO3ee7Z8Lz+LJbLPa2EX+h0hNbyP0xn58Z82fZdfJcCM696fzNIvYMwoJEgp0  
wB/T3ZI625iNN4gWJrV1w4IbyvVXJ1J3RC+gYW8i2IfpR+1jeNQ0RAbgjSSEYGZO  
HvwWuvwx8JYlPDHuXZbG9IkSngOl+W8rULiQVUr1adClGl9lFiYBservNLJ2Kt2E  
obkiqsZRPhPmLiSM9xJPHM3y3eqVJgAjFIUzzbiFEDfE8jnZza1rnEE1sCoZk+p8  
/8HQnPdNK6GKMbxpAFQRTvL3Cjy8NnWFqf44RvjX212SlCnNxw+cQnYF3XhtH+uc  
6Z2ALAgbW5k3smrWAnS2W4uaJdKVX6RBDewDe4BeXxq5kAwsjtDfGOtacl4Gj8Ia  
UEUopVSdpr83/BQwD6T1F33A8IkDWMl5cIOB3ZpnoYkNvkAAM65vrOfIIcxN1AfD  
j4LTNmRoVGl3SgVxbDZTb/d1nhwq5fAYZfYfyHIoGYt7dPUUC/z4LNFwuGWGRqfo  
fqpoA40Ja6hCphgueK4LeH+yGKvQCK1eftSSA3zXqn1EKa7P59LzfPZunyS56Kh/  
pEqFz6KLYjjapPMGqs6Q  
=ffX8  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4625-01

Red Hat Security Advisory 2023-4623-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.2.9  security update  
Advisory ID:       RHSA-2023:4623-01  
Product:           Red Hat OpenShift Service Mesh  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4623  
Issue date:        2023-08-11  
CVE Names:         CVE-2023-27487 CVE-2023-27488 CVE-2023-27491   
                   CVE-2023-27492 CVE-2023-27493 CVE-2023-27496   
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.2.9

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio  
service mesh project, tailored for installation into an OpenShift Container  
Platform installation.

Security Fix(es):

* envoy: Client may fake the header `x-envoy-original-path`  
(CVE-2023-27487)

* envoy: envoy doesn't escape HTTP header values (CVE-2023-27493)

* envoy: gRPC client produces invalid protobuf when an HTTP header with  
non-UTF8 value is received (CVE-2023-27488)

* envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream  
(CVE-2023-27491)

* envoy:  Crash when a large request body is processed in Lua filter  
(CVE-2023-27492)

* envoy: Crash when a redirect url without a state param is received in the  
oauth filter (CVE-2023-27496)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`  
2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream  
2179139 - CVE-2023-27492 envoy:  Crash when a large request body is processed in Lua filter  
2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter  
2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received  
2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values

5. References:

https://access.redhat.com/security/cve/CVE-2023-27487  
https://access.redhat.com/security/cve/CVE-2023-27488  
https://access.redhat.com/security/cve/CVE-2023-27491  
https://access.redhat.com/security/cve/CVE-2023-27492  
https://access.redhat.com/security/cve/CVE-2023-27493  
https://access.redhat.com/security/cve/CVE-2023-27496  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk1pfaAAoJENzjgjWX9erE16UP/Az3YBHc2BsjRSY0/48IyI49  
PZ8yFpBCQMocY7dnts48iFeeVZtQlFruLzOOvGWvaKyPCSiyC0XtTg/6sw71XCaf  
bpOsMXNV75ggf0tTO6JEgGqD326pdOnYqXMUfBnxvgtqQ/Ej1kyGCig+c7bEcvB0  
l0m4NsAo224h8U33fnOPbgP/m/0elWCTcZbOUBLd+qRqwE9edZX4Chd+3l3pq5kg  
zJHLKHui/q+dAIqgsoK6CznTglUXuFQlYpu+vlAomrMGED7kx3t7QgttmhlL7krl  
rKIBgJml3nottyavLGmdCBiuklBlcNNV6LHZNkIEaIaH7Hlgbcb0AWHcOr97KXxQ  
K1ZpIdNOX0IDgltC3cGWbmiNmM45KSWKjCTUKXPiD0jlIxbuDIrqT25tOlNw4nRa  
R4hoiJUvUBl33zcg0q1JZmr9iYA7kKmrQUTgjMaFersmaeVaALBsmwdmTasaAsC0  
jdNzrbRB2JCnozPUphYff6Zc0iIKKPmMKtAWDzdyor0eQ+7sPfXNyND2WC5OQtVS  
oLK/juc7CxQkMhOI09goLFMSUEO7czvKzdr5rzG8s1D7JHNtPLlCy2D0X4jAXIKD  
Ca53KIpxVrEUpmrApFvZscITKSyEGt0pouxEh2mFU6Op1ZcnONOeDXz7+KVfQTZZ  
3+soC5oF43vm3/r9KJAz  
=xctn  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4623-01

Red Hat Security Advisory 2023-4624-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Issues addressed include a memory leak vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh Containers for 2.3.6 security update  
Advisory ID:       RHSA-2023:4624-01  
Product:           Red Hat OpenShift Service Mesh  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4624  
Issue date:        2023-08-11  
CVE Names:         CVE-2023-2828 CVE-2023-35941 CVE-2023-35942   
                   CVE-2023-35943 CVE-2023-35944 CVE-2023-35945   
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.3.6 Containers

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio  
service mesh project, tailored for installation into an on-premise  
OpenShift Container Platform installation.

Security Fix(es):

* envoy: OAuth2 credentials exploit with permanent validity  
(CVE-2023-35941)

* envoy: Incorrect handling of HTTP requests and responses with mixed case  
schemes (CVE-2023-35944)

* envoy: HTTP/2 memory leak in nghttp2 codec (CVE-2023-35945)

* envoy: gRPC access log crash caused by the listener draining  
(CVE-2023-35942)

* envoy: CORS filter segfault when origin header is removed  
(CVE-2023-35943)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2217977 - CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity  
2217978 - CVE-2023-35942 envoy: gRPC access log crash caused by the listener draining  
2217983 - CVE-2023-35945 envoy: HTTP/2 memory leak in nghttp2 codec  
2217985 - CVE-2023-35944 envoy: Incorrect handling of HTTP requests and responses with mixed case schemes  
2217987 - CVE-2023-35943 envoy: CORS filter segfault when origin header is removed

5. References:

https://access.redhat.com/security/cve/CVE-2023-2828  
https://access.redhat.com/security/cve/CVE-2023-35941  
https://access.redhat.com/security/cve/CVE-2023-35942  
https://access.redhat.com/security/cve/CVE-2023-35943  
https://access.redhat.com/security/cve/CVE-2023-35944  
https://access.redhat.com/security/cve/CVE-2023-35945  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk1pfYAAoJENzjgjWX9erE200P/2Y3yaoe64sMk4EThWMQnyDf  
IeHQt7welubO7E6MbIF+8yclV1ckQUFL5ajX8IWtqrTvvnZjYNXmRxSubbPgrBNa  
MUQiyLvj6UXIsMqxaJN9n6rtz1ItbiBNK/AH6ITdN4TAHYG+fzTI58PapJ9g8urX  
8Pd00dx953Jj2gU5toyw6VTR/fJp3ZCgbQxmI78FSnsN77i2/q6WOkJ0TRLcGe+z  
GJw62bxyNKGA1I72NoZqyt/SmIqIhfXP+ofaA4kgWP8XI4/pjL2SDvNsVC0wMNZx  
zQO1cZvYBDo//oZ3NBtR5YpFNZSxpDvv6eiuGOP3LNsTaXot5nAZLSkpzyCFCY9v  
xccDTjVSYysz/aGqa6vTjCd264P4JVMewI/rfDPfaqV3PcCrtm64YCedNTBEwXMx  
uMbdbW02xiX9sRa7Ln38FjvDMCfdOAHaoNOmbOnfS4erQuWF9cJxYXMGPBIk+PY4  
XtxrOPONWbyFPCTspH2D+ISaibu+rK363ZacEXgZ5JOCo5H38y4BINTUPoC2cxF3  
ezwQgKMLPHeCOKBlesQnoPz/EeOL0d3eeNzQvvCAnUk2GCBqazfbxOrjFlqdp9zK  
ugK8VgJcAFiEDeLrhYpSK88BgScJSE/p5cCKdJy3BSHugnVSRD9iKyccuowC3vcT  
ZlAhHXpt+D9ytCT8F+R4  
=ZtLZ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#oauth