Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.20.15 security, enhancement & bug fix update
🔗 CVE IDs covered (22)
📋 Description
CVE-2025-12816 — node-forge: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2025-15284 — qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-66031 — node-forge: node-forge ASN.1 Unbounded Recursion CVE-2025-68157 — webpack: webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects CVE-2025-68458 — webpack: webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior CVE-2025-69873 — ajv: ReDoS via $data reference CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-22029 — @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects CVE-2026-25128 — fast-xml-parser: fast-xml-parser has RangeError DoS Numeric Entities Bug CVE-2026-25896 — fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling CVE-2026-26278 — fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-27904 — minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions CVE-2026-27942 — fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-33036 — fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass CVE-2026-33186 — google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVE-2026-33815 — github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability CVE-2026-33816 — github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability CVE-2026-34986 — github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVE-2026-48779 — ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments
🔗 References (26)
- selfhttps://access.redhat.com/errata/RHSA-2026:40984
- externalhttps://access.redhat.com/security/cve/CVE-2025-12816
- externalhttps://access.redhat.com/security/cve/CVE-2025-13465
- externalhttps://access.redhat.com/security/cve/CVE-2025-15284
- externalhttps://access.redhat.com/security/cve/CVE-2025-66031
- externalhttps://access.redhat.com/security/cve/CVE-2025-68157
- externalhttps://access.redhat.com/security/cve/CVE-2025-68458
- externalhttps://access.redhat.com/security/cve/CVE-2025-69873
- externalhttps://access.redhat.com/security/cve/CVE-2026-22029
- externalhttps://access.redhat.com/security/cve/CVE-2026-25128
- externalhttps://access.redhat.com/security/cve/CVE-2026-25896
- externalhttps://access.redhat.com/security/cve/CVE-2026-26278
- externalhttps://access.redhat.com/security/cve/CVE-2026-26996
- externalhttps://access.redhat.com/security/cve/CVE-2026-27904
- externalhttps://access.redhat.com/security/cve/CVE-2026-27942
- externalhttps://access.redhat.com/security/cve/CVE-2026-29063
- externalhttps://access.redhat.com/security/cve/CVE-2026-33036
- externalhttps://access.redhat.com/security/cve/CVE-2026-33186
- externalhttps://access.redhat.com/security/cve/CVE-2026-33815
- externalhttps://access.redhat.com/security/cve/CVE-2026-33816
- externalhttps://access.redhat.com/security/cve/CVE-2026-34986
- externalhttps://access.redhat.com/security/cve/CVE-2026-4800
- externalhttps://access.redhat.com/security/cve/CVE-2026-48779
- externalhttps://access.redhat.com/security/updates/classification/
- externalhttps://docs.redhat.com/en/documentation/red_hat_openshift_data_foundation/
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_40984.json