{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-38297", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T01:37:16.318Z", "dateReserved": "2021-08-09T00:00:00", "datePublished": "2021-10-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-04-19T00:00:00"}, "descriptions": [{"lang": "en", "value": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://groups.google.com/forum/#%21forum/golang-announce"}, {"url": "https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A"}, {"url": "https://security.netapp.com/advisory/ntap-20211118-0006/"}, {"name": "FEDORA-2021-2ef35beebf", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"name": "FEDORA-2021-2b2dd1b5a7", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"name": "[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:16.318Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/forum/#%21forum/golang-announce", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20211118-0006/", "tags": ["x_transferred"]}, {"name": "FEDORA-2021-2ef35beebf", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"name": "FEDORA-2021-2b2dd1b5a7", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"name": "[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "742B25A2-47FE-4358-9941-1C7B38EE8830", "versionEndExcluding": "1.16.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "2ED7EEC3-ED1D-41B1-8273-DE2123B7460D", "versionEndExcluding": "1.17.2", "versionStartIncluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used."}, {"lang": "es", "value": "Go versiones anteriores a 1.16.9 y versiones 1.17.x anteriores a 1.17.2, presenta un Desbordamiento de B\u00fafer por medio de argumentos grandes en una invocaci\u00f3n de funci\u00f3n desde un m\u00f3dulo WASM, cuando GOARCH=wasm GOOS=js es usado"}], "id": "CVE-2021-38297", "lastModified": "2024-11-21T06:16:44.623", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-18T06:15:06.870", "references": [{"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21forum/golang-announce"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211118-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/#%21forum/golang-announce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211118-0006/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/client-kn-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.20.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.20.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.26.0-2", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/kourier-control-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.20.0-3", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.20.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-activator-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-controller-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-domain-mapping-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-queue-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:0.26.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.20.0-1", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-controller-rhel8:0.26.0-2", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-dispatcher-rhel8:0.26.0-2", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-receiver-rhel8:0.26.0-2", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0434", "cpe": "cpe:/a:redhat:serverless:1.20::el8", "package": "openshift-serverless-1-tech-preview/eventing-kafka-broker-webhook-rhel8:0.26.0-2", "product_name": "Openshift Serveless 1.20", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:0432", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:0.26.0-2.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2022-02-03T00:00:00Z"}, {"advisory": "RHSA-2022:1819", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8060020220221035359.76a129d7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "golang: Command-line arguments may overwrite global data", "id": "2012887", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2012887"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.", "A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAssembly) Modules. Go can be compiled to WASM. If the product or service doesn't use WASM functions,  it is not affected,  although it uses golang."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2021-38297", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-all-in-one-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Not affected", "package_name": "rhmtc/openshift-migration-rhel8-operator", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "migration-toolkit-virtualization/mtv-controller-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "CLI", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "rox", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang-github-prometheus-node_exporter", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Not affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Fix deferred", "package_name": "go-toolset-1.15-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:1.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:2.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "noobaa-operator-container", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "bridge-marker-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "cluster-network-addons-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "cnv-containernetworking-plugins-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "cnv-must-gather-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "container-native-virtualization/kubevirt-cpu-node-labeller", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "container-native-virtualization/vm-import-controller-rhel8", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hostpath-provisioner-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hostpath-provisioner-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hyperconverged-cluster-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hyperconverged-cluster-webhook-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubemacpool-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubernetes-nmstate-handler-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-ssp-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-template-validator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-vmware-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "node-maintenance-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "ovs-cni-marker-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "ovs-cni-plugin-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-api-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-apiserver-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-cloner-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-controller-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-importer-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-uploadproxy-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-cdi-uploadserver-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-controller-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-handler-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-launcher-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "virt-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "vm-import-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/bridge-marker", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/cluster-network-addons-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/cnv-containernetworking-plugins", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/cnv-must-gather-rhel8", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/hostpath-provisioner-rhel8", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/hostpath-provisioner-rhel8-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/hyperconverged-cluster-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/hyperconverged-cluster-webhook-rhel8", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/kubemacpool", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/kubernetes-nmstate-handler-rhel8", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/kubevirt-ssp-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/kubevirt-template-validator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/kubevirt-vmware", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/node-maintenance-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/ovs-cni-marker", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/ovs-cni-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-api", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-cdi-apiserver", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-cdi-cloner", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-cdi-controller", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-cdi-importer", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-cdi-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-cdi-uploadproxy", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-cdi-uploadserver", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-controller", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-handler", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-launcher", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/vm-import-controller-rhel8", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/vm-import-operator-rhel8", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "golang-github-vbatts-tar-split", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "golang-github-vbatts-tar-split", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/clair-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-bridge-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-container-security-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-openshift-bridge-rhel8-operator", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-git227-git-lfs", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.0::el7", "fix_state": "Not affected", "package_name": "smart-gateway-container", "product_name": "Service Telemetry Framework 1.2 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.0::el7", "fix_state": "Not affected", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.2 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.3::el8", "fix_state": "Will not fix", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.3 for RHEL 8"}], "public_date": "2021-10-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-38297\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-38297\nhttps://groups.google.com/g/golang-announce/c/AEBu9j7yj5A"], "statement": "* Although this flaw has a higher CVSS score, in a strict sense, the flaw could possibly enable code exec, either Red Hat products don't use WASM, or don't expose WASM functions in a way that makes code exec possible. For this reason, the Red Hat impact for this flaw is Moderate.\n* Because the flawed code is not actually used in Service Telemetry Framework1.3, no update will be provided at this time for STF's sg-core-container.\n*For a WASM Module to be vulnerable, it needs to be built using GOARCH=wasm GOOS=js (build options for WebAssembly).\n*CVE-2021-38297 is a vulnerability that affects Go (golang). It has been fixed in versions 1.17.2 and 1.16.9.\n*CVE-2021-38297 does not affect the OpenShift Container Platform (OCP) because it does not build anything with GOARCH=wasm GOOS=js. Hence, OCP-based services are not affected either.", "threat_severity": "Moderate"}