Incomplete Fix for CVE-2021-44716 in Red Hat OpenStack Platform
CVE-2024-4437
7.5HIGH
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Openstack Platform 16.1
- Red Hat Openstack Platform 16.2
- Red Hat Openstack Platform 17.1
- Red Hat Openstack Platform 18.0
- Vendor
- CVE Published:
- 8 May 2024
Summary
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2021-44716. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
Affected Version(s)
Red Hat OpenStack Platform 16.1 <= 0:3.3.23-16.el8ost
Red Hat OpenStack Platform 16.2 <= 0:3.3.23-16.el8ost
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Risk change from: null to: 7.5 - (HIGH)
Vulnerability published.
Reported to Red Hat.
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database