Red Hat Security Advisory: Cluster Observability Operator 1.5.0
🔗 CVE IDs covered (41)
📋 Description
CVE-2020-7753 — nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function CVE-2021-33623 — nodejs-trim-newlines: ReDoS in .end() method CVE-2024-4068 — braces: fails to limit the number of characters it can handle CVE-2024-45338 — golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html CVE-2024-52011 — launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization CVE-2025-22868 — golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws CVE-2025-22870 — golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net CVE-2025-22872 — golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net CVE-2025-47911 — golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html CVE-2025-58190 — golang.org/x/net/html: Infinite parsing loop in golang.org/x/net CVE-2026-1526 — undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression CVE-2026-1528 — undici: undici: Denial of Service via crafted WebSocket frame with large length CVE-2026-2229 — undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-4867 — path-to-regexp: path-to-regexp: Denial of Service via catastrophic backtracking from malformed URL parameters CVE-2026-6321 — fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies CVE-2026-6322 — fast-uri: fast-uri: URI authority bypass due to improper delimiter handling CVE-2026-6734 — undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing CVE-2026-9277 — shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators CVE-2026-9697 — undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy CVE-2026-12143 — form-data: form-data: Form field override via CRLF injection CVE-2026-12151 — undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames CVE-2026-25680 — golang.org/x/net/html: golang.org/x/net/html: Denial of Service due to excessive HTML parsing CVE-2026-25681 — golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-32141 — flatted: flatted: Unbounded recursion DoS in parse() revive phase CVE-2026-33228 — flatted: Flatted: Prototype pollution vulnerability allows arbitrary code execution via crafted JSON. CVE-2026-33671 — picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns CVE-2026-33814 — net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame CVE-2026-33891 — node-forge: node-forge: Denial of Service via infinite loop in BigInteger.modInverse() CVE-2026-33894 — node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification CVE-2026-33895 — node-forge: Forge: Authentication bypass via forged Ed25519 cryptographic signatures CVE-2026-33896 — node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance CVE-2026-33937 — handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() CVE-2026-33938 — handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite CVE-2026-33939 — handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation CVE-2026-33940 — handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context CVE-2026-33941 — handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw CVE-2026-39821 — golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing CVE-2026-42506 — golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing CVE-2026-48779 — ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments
🔗 References (46)
- selfhttps://access.redhat.com/errata/RHSA-2026:34342
- externalhttps://access.redhat.com/security/cve/CVE-2020-7753
- externalhttps://access.redhat.com/security/cve/CVE-2021-33623
- externalhttps://access.redhat.com/security/cve/CVE-2024-4068
- externalhttps://access.redhat.com/security/cve/CVE-2024-45338
- externalhttps://access.redhat.com/security/cve/CVE-2024-52011
- externalhttps://access.redhat.com/security/cve/CVE-2025-22868
- externalhttps://access.redhat.com/security/cve/CVE-2025-22870
- externalhttps://access.redhat.com/security/cve/CVE-2025-22872
- externalhttps://access.redhat.com/security/cve/CVE-2025-47911
- externalhttps://access.redhat.com/security/cve/CVE-2025-58190
- externalhttps://access.redhat.com/security/cve/CVE-2026-12143
- externalhttps://access.redhat.com/security/cve/CVE-2026-12151
- externalhttps://access.redhat.com/security/cve/CVE-2026-1526
- externalhttps://access.redhat.com/security/cve/CVE-2026-1528
- externalhttps://access.redhat.com/security/cve/CVE-2026-2229
- externalhttps://access.redhat.com/security/cve/CVE-2026-25680
- externalhttps://access.redhat.com/security/cve/CVE-2026-25681
- externalhttps://access.redhat.com/security/cve/CVE-2026-29063
- externalhttps://access.redhat.com/security/cve/CVE-2026-32141
- externalhttps://access.redhat.com/security/cve/CVE-2026-33228
- externalhttps://access.redhat.com/security/cve/CVE-2026-33671
- externalhttps://access.redhat.com/security/cve/CVE-2026-33814
- externalhttps://access.redhat.com/security/cve/CVE-2026-33891
- externalhttps://access.redhat.com/security/cve/CVE-2026-33894
- externalhttps://access.redhat.com/security/cve/CVE-2026-33895
- externalhttps://access.redhat.com/security/cve/CVE-2026-33896
- externalhttps://access.redhat.com/security/cve/CVE-2026-33937
- externalhttps://access.redhat.com/security/cve/CVE-2026-33938
- externalhttps://access.redhat.com/security/cve/CVE-2026-33939
- externalhttps://access.redhat.com/security/cve/CVE-2026-33940
- externalhttps://access.redhat.com/security/cve/CVE-2026-33941
- externalhttps://access.redhat.com/security/cve/CVE-2026-39821
- externalhttps://access.redhat.com/security/cve/CVE-2026-42506
- externalhttps://access.redhat.com/security/cve/CVE-2026-4800
- externalhttps://access.redhat.com/security/cve/CVE-2026-4867
- externalhttps://access.redhat.com/security/cve/CVE-2026-48779
- externalhttps://access.redhat.com/security/cve/CVE-2026-6321
- externalhttps://access.redhat.com/security/cve/CVE-2026-6322
- externalhttps://access.redhat.com/security/cve/CVE-2026-6734
- externalhttps://access.redhat.com/security/cve/CVE-2026-9277
- externalhttps://access.redhat.com/security/cve/CVE-2026-9697
- externalhttps://access.redhat.com/security/updates/classification
- externalhttps://access.redhat.com/security/updates/classification/
- externalhttps://docs.openshift.com/container-platform/latest/observability/cluster_observability_operator/cluster-observability-operator-release-notes.html
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_34342.json