(RHSA-2024:3637) Moderate: Secondary Scheduler Operator for Red Hat OpenShift 1.3.0 for RHEL 9

2024-07-0100:38:25

access.redhat.com

red hat openshift

secondary scheduler operator

custom plugins

deployment

cve-2023-45290

cve-2024-24783

cve-2024-24784

cve-2024-24785

cve-2023-45288

cve-2024-24786

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.5

Confidence

Low

JSON

The Secondary Scheduler Operator for Red Hat OpenShift is an optional
operator that makes it possible to deploy a secondary scheduler by
providing a scheduler image. You can run a scheduler with custom
plugins without applying additional manifests, such as cluster roles
and deployments.

Security Fix(es):

golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)
golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)
golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)