Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.29.0 Release.
🔗 CVE IDs covered (31)
📋 Description
CVE-2026-6734 — undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing
CVE-2026-9697 — undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
CVE-2026-12151 — undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
CVE-2026-12856 — vscode-java: vscode: Command Injection vulnerability in the JavaDoc hover provider of the vscode-java extension
CVE-2026-34986 — github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object
CVE-2026-39821 — golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
CVE-2026-39829 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
CVE-2026-42338 — ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input
CVE-2026-42578 — netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation
CVE-2026-42579 — netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement
CVE-2026-42581 — netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers
CVE-2026-42583 — netty: io.netty/netty-codec-compression: io.netty/netty-codec: Netty: Denial of Service via excessive memory allocation in LZ4FrameDecoder
CVE-2026-42584 — netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion
CVE-2026-42587 — netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression
CVE-2026-44249 — netty-handler: netty-handler: IPv6 subnet rule bypass due to incorrect masking operation
CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects
CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows
CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits
CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization
CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution
CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability
CVE-2026-44496 — axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name
CVE-2026-44774 — traefik: Traefik: Privilege escalation via Kubernetes Gateway API provider configuration bypass
CVE-2026-44893 — netty-codec-haproxy: Netty-codec-haproxy: Denial of Service via malformed HAProxy message
CVE-2026-45292 — opentelemetry-java: opentelemetry-api: opentelemetry-extension-trace-propagators: OpenTelemetry Java: Denial of Service due to unbounded memory allocation when parsing oversized baggage
CVE-2026-45736 — ws: ws: Uninitialized memory disclosure via websocket.close() with TypedArray
CVE-2026-46595 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
CVE-2026-48043 — netty-codec-http2: netty-codec-http2: Denial of Service due to resource leak
CVE-2026-48059 — netty-codec-haproxy: Netty HAProxy PROXY protocol v2 codec: Denial of Service via memory leak from crafted PROXY protocol headers
CVE-2026-48779 — ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments
CVE-2026-50559 — io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters
🔗 References (35)
- selfhttps://access.redhat.com/errata/RHSA-2026:36820
- externalhttps://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.29/html/administration_guide/installing-devspaces
- externalhttps://access.redhat.com/security/cve/CVE-2026-12151
- externalhttps://access.redhat.com/security/cve/CVE-2026-12856
- externalhttps://access.redhat.com/security/cve/CVE-2026-34986
- externalhttps://access.redhat.com/security/cve/CVE-2026-39821
- externalhttps://access.redhat.com/security/cve/CVE-2026-39829
- externalhttps://access.redhat.com/security/cve/CVE-2026-42338
- externalhttps://access.redhat.com/security/cve/CVE-2026-42578
- externalhttps://access.redhat.com/security/cve/CVE-2026-42579
- externalhttps://access.redhat.com/security/cve/CVE-2026-42581
- externalhttps://access.redhat.com/security/cve/CVE-2026-42583
- externalhttps://access.redhat.com/security/cve/CVE-2026-42584
- externalhttps://access.redhat.com/security/cve/CVE-2026-42587
- externalhttps://access.redhat.com/security/cve/CVE-2026-44249
- externalhttps://access.redhat.com/security/cve/CVE-2026-44486
- externalhttps://access.redhat.com/security/cve/CVE-2026-44487
- externalhttps://access.redhat.com/security/cve/CVE-2026-44488
- externalhttps://access.redhat.com/security/cve/CVE-2026-44492
- externalhttps://access.redhat.com/security/cve/CVE-2026-44494
- externalhttps://access.redhat.com/security/cve/CVE-2026-44495
- externalhttps://access.redhat.com/security/cve/CVE-2026-44496
- externalhttps://access.redhat.com/security/cve/CVE-2026-44774
- externalhttps://access.redhat.com/security/cve/CVE-2026-44893
- externalhttps://access.redhat.com/security/cve/CVE-2026-45292
- externalhttps://access.redhat.com/security/cve/CVE-2026-45736
- externalhttps://access.redhat.com/security/cve/CVE-2026-46595
- externalhttps://access.redhat.com/security/cve/CVE-2026-48043
- externalhttps://access.redhat.com/security/cve/CVE-2026-48059
- externalhttps://access.redhat.com/security/cve/CVE-2026-48779
- externalhttps://access.redhat.com/security/cve/CVE-2026-50559
- externalhttps://access.redhat.com/security/cve/CVE-2026-6734
- externalhttps://access.redhat.com/security/cve/CVE-2026-9697
- externalhttps://access.redhat.com/security/updates/classification/
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_36820.json