Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2024:1878
HistoryApr 18, 2024 - 12:58 a.m.

(RHSA-2024:1878) Moderate: RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements

2024-04-1800:58:43
access.redhat.com
32
red hat update infrastructure
security updates
bug fixes
cloud providers
highly scalable
redundant
content management
rhel
python django
aiohttp
python cryptography
jinja2
pulpcore
ansible module
vulnerabilities
cve
denial of service
http smuggling
directory traversal
crlf injection
bug fix
enhancement

6.8 Medium

AI Score

Confidence

High

0.052 Low

EPSS

Percentile

93.0%

JSON

Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant
framework that enables you to manage repositories and content. It also enables
cloud providers to deliver content and updates to Red Hat Enterprise Linux
(RHEL) instances.

Security Fix(es):

  • python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)

  • python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)

  • python-django: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri() (CVE-2023-41164)

  • python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

  • python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  • aiohttp: HTTP request modification (CVE-2023-49081)

  • python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

  • jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  • aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

  • python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)

  • python-aiohttp: http request smuggling (CVE-2024-23829)

  • Django: denial-of-service in intcomma template filter (CVE-2024-24680)

  • python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)

  • aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

This RHUI update fixes the following bugs:

  • The rhui-installer failed on RHEL 8.10 Beta due to the use of distutils. This has been addressed by updating to a newer version of ansible-collection-community-crypto which does not use the distutils.

This RHUI update introduces the following enhancements:

  • A native Ansible module is now used to update the packages on the RHUA server when the RHUI installer is run for the first time or rerun at any time. This update can be prevented by using the --ignore-newer-rhel-packages flag on the rhui-installer command line.

  • PulpCore has been updated to version 3.39.

OSVersionArchitecturePackageVersionFilename
RedHat8noarchpython3.11-opentelemetry_instrumentation< 0.40b0-5.el8uipython3.11-opentelemetry_instrumentation-0.40b0-5.el8ui.noarch.rpm
RedHat8noarchpython3.11-pyjwt< 2.5.0-4.el8uipython3.11-pyjwt-2.5.0-4.el8ui.noarch.rpm
RedHat8noarchpython3.11-asyncio-throttle< 1.0.2-6.el8uipython3.11-asyncio-throttle-1.0.2-6.el8ui.noarch.rpm
RedHat8noarchpython3.11-drf-spectacular< 0.26.5-4.el8uipython3.11-drf-spectacular-0.26.5-4.el8ui.noarch.rpm
RedHat8noarchpython3.11-opentelemetry_api< 1.19.0-3.el8uipython3.11-opentelemetry_api-1.19.0-3.el8ui.noarch.rpm
RedHat8noarchpython3-pulp-rpm-client< 3.23.0-2.0.1.el8uipython3-pulp-rpm-client-3.23.0-2.0.1.el8ui.noarch.rpm
RedHat8x86_64python-pycryptodomex-debugsource< 3.14.1-5.el8uipython-pycryptodomex-debugsource-3.14.1-5.el8ui.x86_64.rpm
RedHat8noarchpython3-gunicorn< 20.1.0-7.1.2.el8uipython3-gunicorn-20.1.0-7.1.2.el8ui.noarch.rpm
RedHat8noarchpython3.11-djangorestframework-queryfields< 1.0.0-7.el8uipython3.11-djangorestframework-queryfields-1.0.0-7.el8ui.noarch.rpm
RedHat8x86_64python-grpcio-debugsource< 1.56.0-4.el8uipython-grpcio-debugsource-1.56.0-4.el8ui.x86_64.rpm
Rows per page:
1-10 of 1521

Related

nessus 27
fedora 16
openvas 26
redhat 6
redos 3
ibm 4
debiancve 8
cve 7
nvd 8
prion 7
ubuntucve 7
alpinelinux 4
osv 23
cvelist 8
ubuntu 3
hackerone 1
github 7
veracode 7
redhatcve 7
f5 1
githubexploit 6
freebsd 1
wolfi 5
attackerkb 1
cgr 5
nuclei 1
nessus
nessus
RHEL 8 : RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements (Moderate) (RHSA-2024:1878)
2024-04-18 00:00:00
RHEL 8 : Satellite 6.14.3 Async Security Update (Moderate) (RHSA-2024:1536)
2024-04-28 00:00:00
Fedora 38 : python-django3 (2024-84fbbbb914)
2024-04-20 00:00:00
fedora
fedora
[SECURITY] Fedora 38 Update: python-django3-3.2.25-2.fc38
2024-04-20 02:14:46
[SECURITY] Fedora 37 Update: python-asgiref-3.5.2-1.fc37
2023-10-23 01:25:12
[SECURITY] Fedora 38 Update: python-asgiref-3.5.2-1.fc38
2023-10-15 01:44:29
openvas
openvas
Fedora: Security Advisory for python-django3 (FEDORA-2024-84fbbbb914)
2024-05-27 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:0577-1)
2024-02-22 00:00:00
Fedora: Security Advisory for python-asgiref (FEDORA-2023-cc023fabb7)
2023-10-16 00:00:00
redhat
redhat
(RHSA-2024:1536) Moderate: Satellite 6.14.3 Async Security Update
2024-03-27 13:14:03
(RHSA-2024:1640) Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update
2024-04-02 19:19:20
(RHSA-2024:2010) Important: Satellite 6.15.0 release
2024-04-23 17:00:52
redos
redos
ROS-20240318-01
2024-03-18 00:00:00
ROS-20240423-07
2024-04-23 00:00:00
ROS-20240410-14
2024-04-10 00:00:00
ibm
ibm
Security Bulletin: IBM Storage Fusion is vulnerable to HTTP request smuggling, denial of server due to aiohttp, cryptography.
2024-05-11 16:56:44
Security Bulletin: IBM Storage Fusion HCI is vulnerable to HTTP request smuggling, denial of server due to aiohttp, cryptography.
2024-05-11 16:56:18
Security Bulletin: IBM Cloud Pak for Network Automation 2.7.1 addresses multiple existing security vulnerabilities
2024-04-02 10:47:50
debiancve
debiancve
CVE-2024-23829
2024-01-29 23:15:08
CVE-2024-27351
2024-03-15 20:15:09
CVE-2024-24680
2024-02-06 22:16:15
cve
cve
CVE-2024-23829
2024-01-29 23:15:08
CVE-2024-27351
2024-03-15 20:15:09
CVE-2023-37276
2023-07-19 20:15:10
nvd
nvd
CVE-2024-23829
2024-01-29 23:15:08
CVE-2024-27351
2024-03-15 20:15:09
CVE-2024-23342
2024-01-23 00:15:26
prion
prion
Security feature bypass
2024-01-29 23:15:00
Code injection
2024-01-23 00:15:00
Design/Logic Flaw
2023-07-19 20:15:00
ubuntucve
ubuntucve
CVE-2024-23829
2024-01-29 00:00:00
CVE-2024-27351
2024-03-04 00:00:00
CVE-2024-23342
2024-01-23 00:00:00
alpinelinux
alpinelinux
CVE-2024-23829
2024-01-29 23:15:08
CVE-2024-27351
2024-03-15 20:15:09
CVE-2024-23342
2024-01-23 00:15:26
osv
osv
CVE-2024-23829
2024-01-29 23:15:08
PYSEC-2024-26
2024-01-29 23:15:00
python-django vulnerabilities
2023-10-04 22:01:08
cvelist
cvelist
CVE-2024-23829 aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
2024-01-29 22:41:35
CVE-2024-27351
2024-03-15 00:00:00
CVE-2023-37276 aiohttp vulnerable to HTTP request smuggling
2023-07-19 19:39:19
ubuntu
ubuntu
Django vulnerabilities
2023-10-04 00:00:00
Django vulnerability
2024-03-04 00:00:00
Django vulnerability
2024-02-06 00:00:00
hackerone
hackerone
Internet Bug Bounty: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
2024-03-05 10:53:54
github
github
Regular expression denial-of-service in Django
2024-03-15 21:30:43
Minerva timing attack on P-256 in python-ecdsa
2024-01-22 21:35:27
aiohttp is vulnerable to directory traversal
2024-01-29 22:31:03
veracode
veracode
Request Smuggling
2024-01-30 10:19:52
Minerva Attack
2024-01-24 05:56:20
Path Traversal
2024-01-30 07:29:34
redhatcve
redhatcve
CVE-2024-23342
2024-01-24 09:49:28
CVE-2023-37276
2023-07-21 11:30:35
CVE-2024-23829
2024-01-30 11:02:10
f5
f5
K000139353 : aiohttp vulnerability CVE-2024-23334
2024-04-19 00:00:00
githubexploit
githubexploit
Exploit for Path Traversal in Aiohttp
2024-06-17 16:28:35
Exploit for Path Traversal in Aiohttp
2024-03-17 10:56:02
Exploit for Path Traversal in Aiohttp
2024-02-28 22:30:21
freebsd
freebsd
Django -- multiple vulnerabilities
2024-01-09 00:00:00
wolfi
wolfi
CVE-2024-23334 vulnerabilities
2024-07-05 09:08:40
CVE-2024-24680 vulnerabilities
2024-07-05 09:08:40
CVE-2024-27351 vulnerabilities
2024-07-05 09:08:40
attackerkb
attackerkb
CVE-2024-23334
2024-01-29 00:00:00
cgr
cgr
CVE-2024-23334 vulnerabilities
2024-05-19 03:07:16
CVE-2023-49082 vulnerabilities
2024-05-19 03:07:16
CVE-2023-49081 vulnerabilities
2024-05-19 03:07:16
nuclei
nuclei
aiohttp - Directory Traversal
2024-02-28 04:56:41

6.8 Medium

AI Score

Confidence

High

0.052 Low

EPSS

Percentile

93.0%

JSON
Related for RHSA-2024:1878
nessus27fedora16openvas26redhat6redos3ibm4debiancve8cve7nvd8prion7ubuntucve7alpinelinux4osv23cvelist8ubuntu3hackerone1github7veracode7redhatcve7f51githubexploit6freebsd1wolfi5attackerkb1cgr5nuclei1