Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.28.0 Release.
🔗 CVE IDs covered (39)
📋 Description
CVE-2025-14813 — bouncycastle: BC-JAVA: GOSTCTR implementation unable to process more than 255 blocks correctly CVE-2025-68121 — crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption CVE-2026-0636 — bouncycastle: BC-JAVA: LDAP injection vulnerability in LDAPStoreHelper.java CVE-2026-1525 — undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers CVE-2026-1526 — undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression CVE-2026-1528 — undici: undici: Denial of Service via crafted WebSocket frame with large length CVE-2026-1605 — org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests CVE-2026-2229 — undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter CVE-2026-2327 — markdown-it: markdown-it: Denial of Service via Regular Expression Denial of Service in linkify function CVE-2026-5588 — bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-27904 — minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions CVE-2026-29074 — svgo: SVGO: Denial of Service via XML entity expansion CVE-2026-30827 — express-rate-limit: express-rate-limit: Denial of Service for IPv4 clients due to incorrect IPv6 subnet masking CVE-2026-31802 — tar: tar: File overwrite via drive-relative symlink traversal CVE-2026-32141 — flatted: flatted: Unbounded recursion DoS in parse() revive phase CVE-2026-32280 — crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVE-2026-32282 — golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root CVE-2026-32305 — Traefik: github.com/traefik/traefik: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello. CVE-2026-33252 — encoding/json: golang: github.com/modelcontextprotocol/go-sdk: Go MCP SDK: Remote tool execution via cross-site request forgery CVE-2026-33810 — crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application CVE-2026-34742 — github.com/modelcontextprotocol/go-sdk: Model Context Protocol (MCP) Go SDK: DNS rebinding vulnerability allows unauthorized access CVE-2026-35051 — Traefik: github.com/traefik/traefik: Traefik: Authentication bypass in ForwardAuth middleware CVE-2026-39858 — traefik: Traefik: Authentication bypass via unsanitized alias headers CVE-2026-40477 — thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution CVE-2026-40478 — thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass CVE-2026-40611 — github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server CVE-2026-40895 — follow-redirects: follow-redirects: Information disclosure via cross-domain redirects CVE-2026-40912 — github.com/traefik/traefik: Traefik: Authentication bypass via crafted URL dot-segments in StripPrefixRegex middleware CVE-2026-40972 — Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison CVE-2026-40973 — Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory CVE-2026-40975 — Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure. CVE-2026-41240 — DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization CVE-2026-42033 — axios: Axios: HTTP Transport Hijacking via Prototype Pollution CVE-2026-42035 — axios: Axios: Arbitrary HTTP header injection via prototype pollution CVE-2026-42039 — axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data CVE-2026-42041 — axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling CVE-2026-42043 — axios: Axios: NO_PROXY bypass via crafted URL CVE-2026-42044 — axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget
🔗 References (43)
- selfhttps://access.redhat.com/errata/RHSA-2026:21772
- externalhttps://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.28/html/administration_guide/installing-devspaces
- externalhttps://access.redhat.com/security/cve/CVE-2025-14813
- externalhttps://access.redhat.com/security/cve/CVE-2025-68121
- externalhttps://access.redhat.com/security/cve/CVE-2026-0636
- externalhttps://access.redhat.com/security/cve/CVE-2026-1525
- externalhttps://access.redhat.com/security/cve/CVE-2026-1526
- externalhttps://access.redhat.com/security/cve/CVE-2026-1528
- externalhttps://access.redhat.com/security/cve/CVE-2026-1605
- externalhttps://access.redhat.com/security/cve/CVE-2026-2229
- externalhttps://access.redhat.com/security/cve/CVE-2026-2327
- externalhttps://access.redhat.com/security/cve/CVE-2026-26996
- externalhttps://access.redhat.com/security/cve/CVE-2026-27904
- externalhttps://access.redhat.com/security/cve/CVE-2026-29074
- externalhttps://access.redhat.com/security/cve/CVE-2026-30827
- externalhttps://access.redhat.com/security/cve/CVE-2026-31802
- externalhttps://access.redhat.com/security/cve/CVE-2026-32141
- externalhttps://access.redhat.com/security/cve/CVE-2026-32280
- externalhttps://access.redhat.com/security/cve/CVE-2026-32282
- externalhttps://access.redhat.com/security/cve/CVE-2026-32305
- externalhttps://access.redhat.com/security/cve/CVE-2026-33252
- externalhttps://access.redhat.com/security/cve/CVE-2026-33810
- externalhttps://access.redhat.com/security/cve/CVE-2026-34742
- externalhttps://access.redhat.com/security/cve/CVE-2026-35051
- externalhttps://access.redhat.com/security/cve/CVE-2026-39858
- externalhttps://access.redhat.com/security/cve/CVE-2026-40477
- externalhttps://access.redhat.com/security/cve/CVE-2026-40478
- externalhttps://access.redhat.com/security/cve/CVE-2026-40611
- externalhttps://access.redhat.com/security/cve/CVE-2026-40895
- externalhttps://access.redhat.com/security/cve/CVE-2026-40912
- externalhttps://access.redhat.com/security/cve/CVE-2026-40972
- externalhttps://access.redhat.com/security/cve/CVE-2026-40973
- externalhttps://access.redhat.com/security/cve/CVE-2026-40975
- externalhttps://access.redhat.com/security/cve/CVE-2026-41240
- externalhttps://access.redhat.com/security/cve/CVE-2026-42033
- externalhttps://access.redhat.com/security/cve/CVE-2026-42035
- externalhttps://access.redhat.com/security/cve/CVE-2026-42039
- externalhttps://access.redhat.com/security/cve/CVE-2026-42041
- externalhttps://access.redhat.com/security/cve/CVE-2026-42043
- externalhttps://access.redhat.com/security/cve/CVE-2026-42044
- externalhttps://access.redhat.com/security/cve/CVE-2026-5588
- externalhttps://access.redhat.com/security/updates/classification/
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_21772.json