Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

CVE-2020-16250 — vault: Hashicorp Vault AWS IAM Integration Authentication Bypass CVE-2020-16251 — vault: GCP Auth Method Allows Authentication Bypass CVE-2021-3765 — validator: Inefficient Regular Expression Complexity in Validator.js CVE-2021-3807 — nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes CVE-2021-4235 — go-yaml: Denial of Service in go-yaml CVE-2021-4238 — goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be CVE-2021-43998 — vault: incorrect policy enforcement CVE-2021-44531 — nodejs: Improper handling of URI Subject Alternative Names CVE-2021-44532 — nodejs: Certificate Verification Bypass via String Injection CVE-2021-44533 — nodejs: Incorrect handling of certificate subject and issuer fields CVE-2022-2879 — golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers CVE-2022-2880 — golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters CVE-2022-3517 — nodejs-minimatch: ReDoS via the braceExpand function CVE-2022-21824 — nodejs: Prototype pollution via console.table properties CVE-2022-23540 — jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass CVE-2022-23541 — jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC CVE-2022-27664 — golang: net/http: handle server errors after sending GOAWAY CVE-2022-30635 — golang: encoding/gob: stack exhaustion in Decoder.Decode CVE-2022-32189 — golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service CVE-2022-32190 — golang: net/url: JoinPath does not strip relative path components in all circumstances CVE-2022-38149 — consul: Consul Template May Expose Vault Secrets When Processing Invalid Input CVE-2022-38900 — decode-uri-component: improper input validation resulting in DoS CVE-2022-41316 — vault: insufficient certificate revocation list checking CVE-2022-41715 — golang: regexp/syntax: limit memory used by parsing regexps CVE-2022-41717 — golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests CVE-2022-41723 — golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding CVE-2022-41724 — golang: crypto/tls: large handshake records may cause panics CVE-2022-41725 — golang: net/http, mime/multipart: denial of service from excessive resource consumption CVE-2022-46175 — json5: Prototype Pollution in JSON5 via Parse Method CVE-2023-0620 — vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File CVE-2023-0665 — hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata CVE-2023-24999 — Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation CVE-2023-25000 — hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations