Bug 2311153 (CVE-2024-43799) - CVE-2024-43799 send: Code Execution Vulnerability in Send Library
Summary: CVE-2024-43799 send: Code Execution Vulnerability in Send Library
Keywords:
Status: NEW
Alias: CVE-2024-43799
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2311588 2311589 2311590 2311592 2311594 2311596 2311597 2311598 2311599 2311600 2311601 2311603 2311610 2311611 2311614 2311615 2311616 2311617 2311618 2311619 2311620 2311621 2311622 2311623 2311624 2311626 2311627 2311628 2311629 2311630 2311631 2311632 2311633 2311634 2311635 2311587 2311593 2311595 2311602 2311604 2311612 2311613
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-10 15:30 UTC by OSIDB Bzimport
Modified: 2024-10-30 14:34 UTC (History)
131 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:7724 0 None None None 2024-10-07 09:22:51 UTC
Red Hat Product Errata RHSA-2024:7725 0 None None None 2024-10-07 09:25:58 UTC
Red Hat Product Errata RHSA-2024:7726 0 None None None 2024-10-07 09:25:20 UTC
Red Hat Product Errata RHSA-2024:8014 0 None None None 2024-10-22 01:06:53 UTC
Red Hat Product Errata RHSA-2024:8023 0 None None None 2024-10-14 01:00:39 UTC
Red Hat Product Errata RHSA-2024:8676 0 None None None 2024-10-30 14:34:14 UTC

Description OSIDB Bzimport 2024-09-10 15:30:55 UTC 
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
Comment 1 errata-xmlrpc 2024-10-07 09:22:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.4 for RHEL 8

Via RHSA-2024:7724 https://access.redhat.com/errata/RHSA-2024:7724
Comment 2 errata-xmlrpc 2024-10-07 09:25:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.6 for RHEL 8
  Red Hat OpenShift Service Mesh 2.6 for RHEL 9

Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
Comment 3 errata-xmlrpc 2024-10-07 09:25:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:7725 https://access.redhat.com/errata/RHSA-2024:7725
Comment 4 errata-xmlrpc 2024-10-14 01:00:32 UTC 
This issue has been addressed in the following products:

  RHOSS-1.34-RHEL-8

Via RHSA-2024:8023 https://access.redhat.com/errata/RHSA-2024:8023
Comment 5 errata-xmlrpc 2024-10-22 01:06:45 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.7.0-RHEL-9

Via RHSA-2024:8014 https://access.redhat.com/errata/RHSA-2024:8014
Comment 6 errata-xmlrpc 2024-10-30 14:34:07 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
Note You need to log in before you can comment on or make changes to this bug.