Bug 2311153 (CVE-2024-43799)

Summary: CVE-2024-43799 send: Code Execution Vulnerability in Send Library
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, adupliak, akostadi, amasferr, amctagga, anjoseph, asoldano, bbaranow, bdettelb, bmaxwell, brian.stansberry, brking, cbartlet, cdaley, cdewolf, chazlett, cmiranda, danken, darran.lofthouse, dhanak, dholler, dkreling, dmayorov, doconnor, dosoudil, dsimansk, dymurray, eaguilar, ebaron, ecerquei, eric.wittmann, fdeutsch, fjuma, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hkataria, ibek, ibolton, istudens, ivassile, iweiss, janstey, jcammara, jcantril, jchui, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jpallich, jprabhak, jrokos, jwendell, kingland, kshier, ktsao, kverlaen, lbainbri, lgao, mabashia, matzew, mjaros, mkudlej, mmakovy, mnovotny, mosmerov, msochure, msvehla, mvyas, mwringe, nboldt, nipatil, njean, nwallace, oramraz, owatkins, pahickey, pantinor, parichar, pbraun, pcongius, pdelbell, pgaikwad, phoracek, pierdipi, pjindal, pmackay, rcernich, rguimara, rhaigner, rhuss, rjohnson, rkubis, rstancel, rstepani, rtaniwa, saroy, sdawley, sfroberg, simaishi, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, stirabos, tasato, teagle, tfister, thavo, tjochec, tkral, tom.jenkinson, twalsh, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2311615, 2311616, 2311587, 2311588, 2311589, 2311590, 2311592, 2311593, 2311594, 2311595, 2311596, 2311597, 2311598, 2311599, 2311600, 2311601, 2311602, 2311603, 2311604, 2311610, 2311611, 2311612, 2311613, 2311614, 2311617, 2311618, 2311619, 2311620, 2311621, 2311622, 2311623, 2311624, 2311626, 2311627, 2311628, 2311629, 2311630, 2311631, 2311632, 2311633, 2311634, 2311635    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-10 15:30:55 UTC 
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
Comment 1 errata-xmlrpc 2024-10-07 09:22:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.4 for RHEL 8

Via RHSA-2024:7724 https://access.redhat.com/errata/RHSA-2024:7724
Comment 2 errata-xmlrpc 2024-10-07 09:25:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.6 for RHEL 8
  Red Hat OpenShift Service Mesh 2.6 for RHEL 9

Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
Comment 3 errata-xmlrpc 2024-10-07 09:25:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:7725 https://access.redhat.com/errata/RHSA-2024:7725
Comment 4 errata-xmlrpc 2024-10-14 01:00:32 UTC 
This issue has been addressed in the following products:

  RHOSS-1.34-RHEL-8

Via RHSA-2024:8023 https://access.redhat.com/errata/RHSA-2024:8023
Comment 5 errata-xmlrpc 2024-10-22 01:06:45 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.7.0-RHEL-9

Via RHSA-2024:8014 https://access.redhat.com/errata/RHSA-2024:8014
Comment 6 errata-xmlrpc 2024-10-30 14:34:07 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
Comment 7 errata-xmlrpc 2024-12-10 01:37:31 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906
Comment 8 errata-xmlrpc 2024-12-12 20:00:51 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:11023 https://access.redhat.com/errata/RHSA-2024:11023
Comment 9 errata-xmlrpc 2025-01-08 10:04:07 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2025:0079 https://access.redhat.com/errata/RHSA-2025:0079
Comment 10 errata-xmlrpc 2025-01-08 11:31:45 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
Comment 11 errata-xmlrpc 2025-01-09 11:28:32 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:0164 https://access.redhat.com/errata/RHSA-2025:0164
Comment 12 errata-xmlrpc 2025-01-15 01:19:44 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:0323 https://access.redhat.com/errata/RHSA-2025:0323
Comment 14 errata-xmlrpc 2025-02-05 10:49:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875