{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:71538f72-2e97-44a1-8e83-3cff563ecb29",
  "version": 1,
  "metadata": {
    "timestamp": "2026-06-20T17:00:19+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "manufacturer": {
            "name": "Aqua Security Software Ltd."
          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.69.3"
        }
      ]
    },
    "component": {
      "bom-ref": "pkg:oci/cp-server-connect-base@sha256%3A33364e9b2e0e05442ee86dad59747a93271c0cf9d182b2f7580cd03360bcfa75?arch=amd64&repository_url=519856050701.dkr.ecr.us-west-2.amazonaws.com%2Fdocker%2Fprod%2Fconfluentinc%2Fcp-server-connect-base",
      "type": "container",
      "supplier": {
        "name": "Confluent"
      },
      "name": "cp-server-connect-base",
      "version": "8.3.0",
      "purl": "pkg:oci/cp-server-connect-base@sha256%3A33364e9b2e0e05442ee86dad59747a93271c0cf9d182b2f7580cd03360bcfa75?arch=amd64&repository_url=519856050701.dkr.ecr.us-west-2.amazonaws.com%2Fdocker%2Fprod%2Fconfluentinc%2Fcp-server-connect-base",
      "properties": [
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:0b4e58a18dff9fdbdf5b3574466711974f3b7205a70f7bd8e3e441925fe122ca"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:1d7db3d495a01334f5db5add96dcc0437e5b5a6abbdd203589f4c6cffc4374d6"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:203f3a34c5563b8bd9e313f0dde880a116fc8710309d73c7dc28b55bf287e461"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:2448e63f8ee13592c68a4f6c1a6bb077333bde10bb3fa318c14be30ee09c0ded"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:2650808cf8fd2b73cb8275970e36585a48a3f834e1c433687f62757eebac6f05"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:32633707bea7ac13e66790afca13013b0ceca25890136fe8092ca66f279b8b6b"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:45173937118e8e4f89503a4e66180e648dd0da1309271672d0dc75c5e88e9b36"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:4772134f6b3efb54a25d276c4a3ede54202eeb77a4238a5a6e364931cbab82f6"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:4dc25dab420af50d8cb259168bb9e9a337cfd9beb47b87a172a0e65fbd0fc63b"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:5358aaf4a3e199a296409b70fb020d4962df8a1ed08658210e6974b6e8ecd7fd"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:5f8a9fdc9b6d238a48edc8bb5b726aec6a61addb99ffb326eb89d122542a8a39"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:6c22aa0612d072b48b07f1064443546000ca9025657e150bd0ed03a765222a01"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:72cbe0ae2bda81d6929e203120174d8ec12eb0c141bc64c90268be1c5841ba10"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:8459f17f60312f790cc07fd062a922914f5642733ec818bf1759195ffea27072"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:8d6972cc960cb54f6dafb71d62bacc75a803194184b8b6a28468b5c80864ff05"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:9a755c83e0586bc17e8f3a499d3ed4285a0280e47d78e9447d902f9147bbda04"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:9f434aa04ce270c65dbc530abe238b6a3ba01bb3bc3a634f38d388e737baedc5"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:a538ac42068c502f137f41dbc0716e6395f91577b710945e6f89eb60294c4bf8"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:a84ceba428418db225413a801e2a1574ea2fb10cd523659c291e7a8d2be1f20b"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:ab35bf37046e48f4a909e2f17da5d70ea1df15d83d88c63185f5ce53bf5d0834"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:accbbd195f1b6cefc2450b3b5aa94315f8fbd7e7140556d1e2d1af72519ee18a"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:b34f5b075cd1aa6be4b8690352c5d6e75627af15eb09a056df7e9200528c275d"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:bb65cbbeee9a4287070b4628bfc8ebcfc1a0528c8d43d82ebf9017f5489ca134"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:c1b8c44bfc489e6fde3f78e8ae0d78bb36a23fcbd648c0842b178931cf4756a8"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:d22d4a33574dbf8de35c1cb435f398fdd34f4906053ec90913360b36e6cab8cf"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:d26d918fcfa913b3abb8d2352efbbee5a025e45783bf1ee8247c4960da2b0fc3"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:d7c1846fd267fa2b1489da4bf43be544f906f358e087fc5a64c278f7d94660f4"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:e95fef888ee2e31ec829e2a75b2c7abdb7694c27e2fec702a0f4e1994cf5e9ef"
        },
        {
          "name": "aquasecurity:trivy:DiffID",
          "value": "sha256:eb16b6bc69e6d27f30bdca2d00a3324217f2685857f9e4f395c33ffd46b5b889"
        },
        {
          "name": "aquasecurity:trivy:ImageID",
          "value": "sha256:b915cf4ead6cfd8cce085b22df68e8361ed54ca703c9adc1eea5c825c2bee932"
        },
        {
          "name": "aquasecurity:trivy:Labels:architecture",
          "value": "x86_64"
        },
        {
          "name": "aquasecurity:trivy:Labels:build-date",
          "value": "2026-05-27T05:14:17Z"
        },
        {
          "name": "aquasecurity:trivy:Labels:com.redhat.component",
          "value": "ubi9-micro-container"
        },
        {
          "name": "aquasecurity:trivy:Labels:com.redhat.license_terms",
          "value": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI"
        },
        {
          "name": "aquasecurity:trivy:Labels:cpe",
          "value": "cpe:/a:redhat:enterprise_linux:9::appstream"
        },
        {
          "name": "aquasecurity:trivy:Labels:description",
          "value": "Confluent platform server image."
        },
        {
          "name": "aquasecurity:trivy:Labels:distribution-scope",
          "value": "public"
        },
        {
          "name": "aquasecurity:trivy:Labels:io.buildah.version",
          "value": "1.42.2"
        },
        {
          "name": "aquasecurity:trivy:Labels:io.confluent.docker",
          "value": "true"
        },
        {
          "name": "aquasecurity:trivy:Labels:io.confluent.docker.build.number",
          "value": "a96c1c84"
        },
        {
          "name": "aquasecurity:trivy:Labels:io.confluent.docker.git.id",
          "value": "88088c0"
        },
        {
          "name": "aquasecurity:trivy:Labels:io.confluent.docker.git.repo",
          "value": "confluentinc/kafka-images"
        },
        {
          "name": "aquasecurity:trivy:Labels:io.k8s.description",
          "value": "Very small image which doesn't install the package manager."
        },
        {
          "name": "aquasecurity:trivy:Labels:io.k8s.display-name",
          "value": "Red Hat Universal Base Image 9 Micro"
        },
        {
          "name": "aquasecurity:trivy:Labels:maintainer",
          "value": "partner-support@confluent.io"
        },
        {
          "name": "aquasecurity:trivy:Labels:name",
          "value": "cp-server-connect-base"
        },
        {
          "name": "aquasecurity:trivy:Labels:org.opencontainers.image.created",
          "value": "2026-05-27T05:14:17Z"
        },
        {
          "name": "aquasecurity:trivy:Labels:org.opencontainers.image.revision",
          "value": "07b63a33661d5a413e5dd39397eb30b0babf0c2e"
        },
        {
          "name": "aquasecurity:trivy:Labels:release",
          "value": "8.3.0-40"
        },
        {
          "name": "aquasecurity:trivy:Labels:summary",
          "value": "Confluent platform server connect base image."
        },
        {
          "name": "aquasecurity:trivy:Labels:url",
          "value": "https://catalog.redhat.com/en/search?searchType=containers"
        },
        {
          "name": "aquasecurity:trivy:Labels:vcs-ref",
          "value": "07b63a33661d5a413e5dd39397eb30b0babf0c2e"
        },
        {
          "name": "aquasecurity:trivy:Labels:vcs-type",
          "value": "git"
        },
        {
          "name": "aquasecurity:trivy:Labels:vendor",
          "value": "Confluent"
        },
        {
          "name": "aquasecurity:trivy:Labels:version",
          "value": "88088c0"
        },
        {
          "name": "aquasecurity:trivy:Reference",
          "value": "519856050701.dkr.ecr.us-west-2.amazonaws.com/docker/prod/confluentinc/cp-server-connect-base:8.3.0-rc260609064421-latest-ubi9"
        },
        {
          "name": "aquasecurity:trivy:RepoDigest",
          "value": "519856050701.dkr.ecr.us-west-2.amazonaws.com/docker/prod/confluentinc/cp-server-connect-base@sha256:33364e9b2e0e05442ee86dad59747a93271c0cf9d182b2f7580cd03360bcfa75"
        },
        {
          "name": "aquasecurity:trivy:RepoTag",
          "value": "519856050701.dkr.ecr.us-west-2.amazonaws.com/docker/prod/confluentinc/cp-server-connect-base:8.3.0-rc260609064421-latest-ubi9"
        },
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        },
        {
          "name": "aquasecurity:trivy:Size",
          "value": "1483732992"
        }
      ]
    }
  },
  "components": [],
  "dependencies": [],
  "vulnerabilities": [
    {
      "id": "CVE-2005-2541",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 10,
          "severity": "high",
          "method": "CVSSv2",
          "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2005-2541"
        },
        {
          "url": "http://marc.info/?l=bugtraq&m=112327628230258&w=2"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2005-2541"
        },
        {
          "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-2541"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2005-2541"
        }
      ],
      "published": "2005-08-10T04:00:00+00:00",
      "updated": "2026-04-16T00:27:16+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.34-11.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform does not invoke any binaries present in the container. That assures that the vulnerable code path in the affected application is not reachable."
      }
    },
    {
      "id": "CVE-2021-31879",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.8,
          "severity": "medium",
          "method": "CVSSv2",
          "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        601
      ],
      "description": "GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2021-31879"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-31879"
        },
        {
          "url": "https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31879"
        },
        {
          "url": "https://savannah.gnu.org/bugs/?56909"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20210618-0002/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-31879"
        }
      ],
      "published": "2021-04-29T05:15:08+00:00",
      "updated": "2024-11-21T06:06:25+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/wget@1.21.1-8.el9_4?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.21.1-8.el9_4",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/wget@1.21.1-8.el9_4?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform does not invoke any binaries present in the container. That assures that the vulnerable code path in the affected application is not reachable."
      }
    },
    {
      "id": "CVE-2021-3572",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.7,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 3.5,
          "severity": "info",
          "method": "CVSSv2",
          "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        20
      ],
      "description": "A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2021-3572"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2021:3254"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-3572"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772014"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928707"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928904"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935913"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941534"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955615"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1957458"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1962856"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1968074"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18874"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27619"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29921"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42771"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2021:4162"
        },
        {
          "url": "https://github.com/advisories/GHSA-5xp3-jfq3-5q8x"
        },
        {
          "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml"
        },
        {
          "url": "https://github.com/pypa/pip"
        },
        {
          "url": "https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b"
        },
        {
          "url": "https://github.com/pypa/pip/issues/10042"
        },
        {
          "url": "https://github.com/pypa/pip/issues/10042#issuecomment-857452480"
        },
        {
          "url": "https://github.com/pypa/pip/pull/9827"
        },
        {
          "url": "https://github.com/skazi0/CVE-2021-3572/blob/master/CVE-2021-3572-v9.0.1.patch"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2021-3572.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2023-12349.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3572"
        },
        {
          "url": "https://packetstormsecurity.com/files/162712/USN-4961-1.txt"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0006"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-4961-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3572"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "published": "2021-11-10T18:15:09+00:00",
      "updated": "2024-11-21T06:21:52+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "21.3.1-2.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        }
      ]
    },
    {
      "id": "CVE-2021-46195",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4.3,
          "severity": "medium",
          "method": "CVSSv2",
          "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        674
      ],
      "description": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2021-46195"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2022:8415"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-46195"
        },
        {
          "url": "https://bugzilla.redhat.com/2046300"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2022-8415.html"
        },
        {
          "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841"
        },
        {
          "url": "https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=f10bec5ffa487ad3033ed5f38cfd0fc7d696deab"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2021-46195.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2022-8415.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-46195"
        }
      ],
      "published": "2022-01-14T20:15:15+00:00",
      "updated": "2024-11-21T06:33:45+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "11.5.0-14.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libgomp@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "11.5.0-14.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "11.5.0-14.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libgomp@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libgomp@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        }
      ]
    },
    {
      "id": "CVE-2022-27943",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4.3,
          "severity": "medium",
          "method": "CVSSv2",
          "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        674
      ],
      "description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-27943"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-27943"
        },
        {
          "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039"
        },
        {
          "url": "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=1a770b01ef415e114164b6151d1e55acdee09371"
        },
        {
          "url": "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79"
        },
        {
          "url": "https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=fc968115a742d9e4674d9725ce9c2106b91b6ead"
        },
        {
          "url": "https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=28995"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-27943"
        }
      ],
      "published": "2022-03-26T13:15:07+00:00",
      "updated": "2024-11-21T06:56:31+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "11.5.0-14.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libgomp@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "11.5.0-14.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "11.5.0-14.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libgomp@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libgomp@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libgcc@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libstdc%2B%2B@11.5.0-14.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform\u00a0 is not linked against the vulnerable system library. That assures that the vulnerable code path in the affected library is not reachable."
      }
    },
    {
      "id": "CVE-2022-3219",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.2,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        787
      ],
      "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-3219"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-3219"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127010"
        },
        {
          "url": "https://dev.gnupg.org/D556"
        },
        {
          "url": "https://dev.gnupg.org/T5993"
        },
        {
          "url": "https://marc.info/?l=oss-security&m=165696590211434&w=4"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3219"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230324-0001/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-3219"
        }
      ],
      "published": "2023-02-23T20:15:12+00:00",
      "updated": "2025-03-12T21:15:38+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.3.3-5.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform does not invoke any binaries present in the container. That assures that the vulnerable code path in the affected application is not reachable."
      }
    },
    {
      "id": "CVE-2022-41409",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        190
      ],
      "description": "Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2022-41409"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-41409"
        },
        {
          "url": "https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35"
        },
        {
          "url": "https://github.com/PCRE2Project/pcre2/issues/141"
        },
        {
          "url": "https://github.com/advisories/GHSA-4qfx-v7wh-3q4j"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41409"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41409"
        }
      ],
      "published": "2023-07-18T14:15:12+00:00",
      "updated": "2024-11-21T07:23:10+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "10.40-6.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "10.40-6.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/pcre2-syntax@10.40-6.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/pcre2@10.40-6.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform\u00a0 is not linked against the vulnerable system library. That assures that the vulnerable code path in the affected library is not reachable."
      }
    },
    {
      "id": "CVE-2023-30571",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H"
        }
      ],
      "cwes": [
        362
      ],
      "description": "Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-30571"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-30571"
        },
        {
          "url": "https://access.redhat.com/solutions/7033331"
        },
        {
          "url": "https://github.com/libarchive/libarchive/issues/1876"
        },
        {
          "url": "https://groups.google.com/g/libarchive-announce"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30571"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-30571"
        }
      ],
      "published": "2023-05-29T20:15:09+00:00",
      "updated": "2025-01-14T17:15:11+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ]
    },
    {
      "id": "CVE-2023-32636",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.2,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        400,
        502
      ],
      "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-32636"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2024:2528"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-32636"
        },
        {
          "url": "https://bugzilla.redhat.com/2211827"
        },
        {
          "url": "https://bugzilla.redhat.com/2211828"
        },
        {
          "url": "https://bugzilla.redhat.com/2211829"
        },
        {
          "url": "https://bugzilla.redhat.com/2211833"
        },
        {
          "url": "https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2024-2528.html"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2841"
        },
        {
          "url": "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2023-32636.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2024-2528.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231110-0002/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6165-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6165-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-32636"
        }
      ],
      "published": "2023-09-14T20:15:09+00:00",
      "updated": "2024-11-21T08:03:44+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.68.4-19.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform\u00a0 is not linked against the vulnerable system library. That assures that the vulnerable code path in the affected library is not reachable."
      }
    },
    {
      "id": "CVE-2023-39804",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "description": "In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-39804"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-39804"
        },
        {
          "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079"
        },
        {
          "url": "https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4"
        },
        {
          "url": "https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00008.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6543-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-39804"
        }
      ],
      "published": "2024-03-27T04:15:08+00:00",
      "updated": "2025-11-04T19:15:55+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.34-11.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform does not invoke any binaries present in the container. That assures that the vulnerable code path in the affected application is not reachable."
      }
    },
    {
      "id": "CVE-2023-4156",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.1,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.1,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        125
      ],
      "description": "A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-4156"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-4156"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215930"
        },
        {
          "url": "https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212"
        },
        {
          "url": "https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00000.html"
        },
        {
          "url": "https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00023.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4156"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6373-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-4156"
        }
      ],
      "published": "2023-09-25T18:15:11+00:00",
      "updated": "2024-11-21T08:34:30+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/gawk@5.1.0-6.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "5.1.0-6.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/gawk@5.1.0-6.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/gawk@5.1.0-6.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform does not invoke any binaries present in the container. That assures that the vulnerable code path in the affected application is not reachable."
      }
    },
    {
      "id": "CVE-2023-45322",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        416
      ],
      "description": "libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\"",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-45322"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/10/06/5"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-45322"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/344"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/583"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45322"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-45322"
        }
      ],
      "published": "2023-10-06T22:15:11+00:00",
      "updated": "2025-11-03T21:16:01+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2023-45803",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 4.2,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4.2,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.2,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        200
      ],
      "description": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-45803"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2024:2132"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-45803"
        },
        {
          "url": "https://bugzilla.redhat.com/2246840"
        },
        {
          "url": "https://bugzilla.redhat.com/2257028"
        },
        {
          "url": "https://bugzilla.redhat.com/2257854"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246840"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45803"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2024-2132.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2024:11238"
        },
        {
          "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml"
        },
        {
          "url": "https://github.com/urllib3/urllib3"
        },
        {
          "url": "https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3"
        },
        {
          "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9"
        },
        {
          "url": "https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36"
        },
        {
          "url": "https://github.com/urllib3/urllib3/releases/tag/1.26.18"
        },
        {
          "url": "https://github.com/urllib3/urllib3/releases/tag/2.0.7"
        },
        {
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2023-45803.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2024-2988.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6473-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6473-2"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7762-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-45803"
        },
        {
          "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"
        }
      ],
      "published": "2023-10-17T20:15:10+00:00",
      "updated": "2025-11-03T22:16:28+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "21.3.1-2.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        }
      ]
    },
    {
      "id": "CVE-2023-50495",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2023-50495"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-50495"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/"
        },
        {
          "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html"
        },
        {
          "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240119-0008/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6684-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-50495"
        }
      ],
      "published": "2023-12-12T15:15:07+00:00",
      "updated": "2025-11-04T19:16:14+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "6.2-12.20210508.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "6.2-12.20210508.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/ncurses-base@6.2-12.20210508.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/ncurses-libs@6.2-12.20210508.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform\u00a0 is not linked against the vulnerable system library. That assures that the vulnerable code path in the affected library is not reachable."
      }
    },
    {
      "id": "CVE-2024-0232",
      "ratings": [
        {
          "source": {
            "name": "bitnami"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        416
      ],
      "description": "A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-0232"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-0232"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243754"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QDCMYQ3J45NHQ4EJREM3BJNNKB5BK4Y7/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0232"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240315-0007/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-0232"
        }
      ],
      "published": "2024-01-16T14:15:48+00:00",
      "updated": "2024-11-21T08:46:06+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.34.1-10.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform does not invoke any binaries present in the container. That assures that the vulnerable code path in the affected application is not reachable."
      }
    },
    {
      "id": "CVE-2024-10524",
      "ratings": [
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
        }
      ],
      "cwes": [
        918
      ],
      "description": "Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-10524"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/11/18/6"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-10524"
        },
        {
          "url": "https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778"
        },
        {
          "url": "https://github.com/advisories/GHSA-mqrm-h2pw-9j9r"
        },
        {
          "url": "https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability"
        },
        {
          "url": "https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10524"
        },
        {
          "url": "https://seclists.org/oss-sec/2024/q4/107"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250321-0007"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250321-0007/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-10524"
        }
      ],
      "published": "2024-11-19T15:15:06+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/wget@1.21.1-8.el9_4?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.21.1-8.el9_4",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/wget@1.21.1-8.el9_4?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2024-11053",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 3.4,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "description": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-11053"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/12/11/1"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2025:1671"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-11053"
        },
        {
          "url": "https://bugzilla.redhat.com/2294581"
        },
        {
          "url": "https://bugzilla.redhat.com/2294676"
        },
        {
          "url": "https://bugzilla.redhat.com/2301888"
        },
        {
          "url": "https://bugzilla.redhat.com/2318857"
        },
        {
          "url": "https://bugzilla.redhat.com/2318858"
        },
        {
          "url": "https://bugzilla.redhat.com/2318870"
        },
        {
          "url": "https://bugzilla.redhat.com/2318873"
        },
        {
          "url": "https://bugzilla.redhat.com/2318874"
        },
        {
          "url": "https://bugzilla.redhat.com/2318876"
        },
        {
          "url": "https://bugzilla.redhat.com/2318882"
        },
        {
          "url": "https://bugzilla.redhat.com/2318883"
        },
        {
          "url": "https://bugzilla.redhat.com/2318884"
        },
        {
          "url": "https://bugzilla.redhat.com/2318885"
        },
        {
          "url": "https://bugzilla.redhat.com/2318886"
        },
        {
          "url": "https://bugzilla.redhat.com/2318897"
        },
        {
          "url": "https://bugzilla.redhat.com/2318900"
        },
        {
          "url": "https://bugzilla.redhat.com/2318905"
        },
        {
          "url": "https://bugzilla.redhat.com/2318914"
        },
        {
          "url": "https://bugzilla.redhat.com/2318922"
        },
        {
          "url": "https://bugzilla.redhat.com/2318923"
        },
        {
          "url": "https://bugzilla.redhat.com/2318925"
        },
        {
          "url": "https://bugzilla.redhat.com/2318926"
        },
        {
          "url": "https://bugzilla.redhat.com/2318927"
        },
        {
          "url": "https://bugzilla.redhat.com/2331191"
        },
        {
          "url": "https://bugzilla.redhat.com/2339218"
        },
        {
          "url": "https://bugzilla.redhat.com/2339220"
        },
        {
          "url": "https://bugzilla.redhat.com/2339221"
        },
        {
          "url": "https://bugzilla.redhat.com/2339226"
        },
        {
          "url": "https://bugzilla.redhat.com/2339231"
        },
        {
          "url": "https://bugzilla.redhat.com/2339236"
        },
        {
          "url": "https://bugzilla.redhat.com/2339238"
        },
        {
          "url": "https://bugzilla.redhat.com/2339243"
        },
        {
          "url": "https://bugzilla.redhat.com/2339247"
        },
        {
          "url": "https://bugzilla.redhat.com/2339252"
        },
        {
          "url": "https://bugzilla.redhat.com/2339259"
        },
        {
          "url": "https://bugzilla.redhat.com/2339266"
        },
        {
          "url": "https://bugzilla.redhat.com/2339270"
        },
        {
          "url": "https://bugzilla.redhat.com/2339271"
        },
        {
          "url": "https://bugzilla.redhat.com/2339275"
        },
        {
          "url": "https://bugzilla.redhat.com/2339277"
        },
        {
          "url": "https://bugzilla.redhat.com/2339281"
        },
        {
          "url": "https://bugzilla.redhat.com/2339284"
        },
        {
          "url": "https://bugzilla.redhat.com/2339291"
        },
        {
          "url": "https://bugzilla.redhat.com/2339293"
        },
        {
          "url": "https://bugzilla.redhat.com/2339295"
        },
        {
          "url": "https://bugzilla.redhat.com/2339299"
        },
        {
          "url": "https://bugzilla.redhat.com/2339300"
        },
        {
          "url": "https://bugzilla.redhat.com/2339304"
        },
        {
          "url": "https://bugzilla.redhat.com/2339305"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294581"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294676"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301888"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318857"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318858"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318870"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318873"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318874"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318876"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318883"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318886"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318900"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318905"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318914"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318922"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318923"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318925"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318926"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318927"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331191"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339218"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339220"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339221"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339226"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339231"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339236"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339238"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339243"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339247"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339252"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339259"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339266"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339270"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339271"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339275"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339277"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339281"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339284"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339291"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339293"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339295"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339299"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339300"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339304"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339305"
        },
        {
          "url": "https://curl.se/docs/CVE-2024-11053.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2024-11053.json"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2025-1671.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2025:1671"
        },
        {
          "url": "https://github.com/advisories/GHSA-h288-5fq8-5pfw"
        },
        {
          "url": "https://hackerone.com/reports/2829063"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2024-11053.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2025-1673.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11053"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250124-0012"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250124-0012/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250131-0003"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250131-0003/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250131-0004"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250131-0004/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7162-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-11053"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2025.html#AppendixMSQL"
        }
      ],
      "published": "2024-12-11T08:15:05+00:00",
      "updated": "2025-11-03T21:16:04+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ]
    },
    {
      "id": "CVE-2024-13176",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 4.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        385
      ],
      "description": "Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low.\n\nThe FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-13176"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2025/01/20/2"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2025:16046"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-13176"
        },
        {
          "url": "https://bugzilla.redhat.com/2359885"
        },
        {
          "url": "https://bugzilla.redhat.com/2359888"
        },
        {
          "url": "https://bugzilla.redhat.com/2359892"
        },
        {
          "url": "https://bugzilla.redhat.com/2359894"
        },
        {
          "url": "https://bugzilla.redhat.com/2359895"
        },
        {
          "url": "https://bugzilla.redhat.com/2359899"
        },
        {
          "url": "https://bugzilla.redhat.com/2359900"
        },
        {
          "url": "https://bugzilla.redhat.com/2359902"
        },
        {
          "url": "https://bugzilla.redhat.com/2359903"
        },
        {
          "url": "https://bugzilla.redhat.com/2359911"
        },
        {
          "url": "https://bugzilla.redhat.com/2359918"
        },
        {
          "url": "https://bugzilla.redhat.com/2359920"
        },
        {
          "url": "https://bugzilla.redhat.com/2359924"
        },
        {
          "url": "https://bugzilla.redhat.com/2359928"
        },
        {
          "url": "https://bugzilla.redhat.com/2359930"
        },
        {
          "url": "https://bugzilla.redhat.com/2359932"
        },
        {
          "url": "https://bugzilla.redhat.com/2359934"
        },
        {
          "url": "https://bugzilla.redhat.com/2359938"
        },
        {
          "url": "https://bugzilla.redhat.com/2359940"
        },
        {
          "url": "https://bugzilla.redhat.com/2359943"
        },
        {
          "url": "https://bugzilla.redhat.com/2359944"
        },
        {
          "url": "https://bugzilla.redhat.com/2359945"
        },
        {
          "url": "https://bugzilla.redhat.com/2359947"
        },
        {
          "url": "https://bugzilla.redhat.com/2359950"
        },
        {
          "url": "https://bugzilla.redhat.com/2359963"
        },
        {
          "url": "https://bugzilla.redhat.com/2359964"
        },
        {
          "url": "https://bugzilla.redhat.com/2359972"
        },
        {
          "url": "https://bugzilla.redhat.com/2370920"
        },
        {
          "url": "https://bugzilla.redhat.com/2380264"
        },
        {
          "url": "https://bugzilla.redhat.com/2380273"
        },
        {
          "url": "https://bugzilla.redhat.com/2380274"
        },
        {
          "url": "https://bugzilla.redhat.com/2380278"
        },
        {
          "url": "https://bugzilla.redhat.com/2380280"
        },
        {
          "url": "https://bugzilla.redhat.com/2380283"
        },
        {
          "url": "https://bugzilla.redhat.com/2380284"
        },
        {
          "url": "https://bugzilla.redhat.com/2380290"
        },
        {
          "url": "https://bugzilla.redhat.com/2380291"
        },
        {
          "url": "https://bugzilla.redhat.com/2380295"
        },
        {
          "url": "https://bugzilla.redhat.com/2380298"
        },
        {
          "url": "https://bugzilla.redhat.com/2380306"
        },
        {
          "url": "https://bugzilla.redhat.com/2380308"
        },
        {
          "url": "https://bugzilla.redhat.com/2380309"
        },
        {
          "url": "https://bugzilla.redhat.com/2380310"
        },
        {
          "url": "https://bugzilla.redhat.com/2380312"
        },
        {
          "url": "https://bugzilla.redhat.com/2380313"
        },
        {
          "url": "https://bugzilla.redhat.com/2380320"
        },
        {
          "url": "https://bugzilla.redhat.com/2380321"
        },
        {
          "url": "https://bugzilla.redhat.com/2380322"
        },
        {
          "url": "https://bugzilla.redhat.com/2380326"
        },
        {
          "url": "https://bugzilla.redhat.com/2380327"
        },
        {
          "url": "https://bugzilla.redhat.com/2380334"
        },
        {
          "url": "https://bugzilla.redhat.com/2380335"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2338999"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359888"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359895"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359899"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359900"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359902"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359903"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359911"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359918"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359920"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359924"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359928"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359930"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359934"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359938"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359940"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359943"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359944"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359945"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359947"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359950"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359963"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359964"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359972"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370920"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380264"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380273"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380274"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380278"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380280"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380283"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380284"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380290"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380291"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380295"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380298"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380306"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380308"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380309"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380310"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380312"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380313"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380320"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380321"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380322"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380326"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380327"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380334"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380335"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21574"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21575"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21577"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21579"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21580"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21581"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21584"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21585"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21588"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30681"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30682"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30683"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30684"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30685"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30687"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30688"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30689"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30693"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30695"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30696"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30699"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30703"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30704"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30705"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30715"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30721"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30722"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50077"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50078"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50079"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50080"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50081"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50082"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50083"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50084"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50085"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50086"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50087"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50088"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50091"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50092"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50093"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50094"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50096"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50097"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50098"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50099"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50100"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50101"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50102"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50104"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5399"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2025-16046.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2025:15699"
        },
        {
          "url": "https://github.com/advisories/GHSA-r9fv-h47r-823f"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f"
        },
        {
          "url": "https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded"
        },
        {
          "url": "https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2024-13176.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2025-16046.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13176"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20250120.txt"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250124-0005"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250124-0005/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250418-0010"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250418-0010/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250502-0006"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250502-0006/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7264-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7278-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7894-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-13176"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2025.html#AppendixMSQL"
        }
      ],
      "published": "2025-01-20T14:15:26+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ]
    },
    {
      "id": "CVE-2024-25260",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        476
      ],
      "description": "elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-25260"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-25260"
        },
        {
          "url": "https://github.com/schsiung/fuzzer_issues/issues/1"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25260"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31058"
        },
        {
          "url": "https://sourceware.org/elfutils/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7369-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-25260"
        }
      ],
      "published": "2024-02-20T18:15:52+00:00",
      "updated": "2025-04-25T20:42:23+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent Platform\u00a0 is not linked against the vulnerable system library. That assures that the vulnerable code path in the affected library is not reachable."
      }
    },
    {
      "id": "CVE-2024-29040",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        502
      ],
      "description": "This repository hosts source code implementing the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS). The JSON Quote Info returned by Fapi_Quote has to be deserialized by Fapi_VerifyQuote to the TPM Structure `TPMS_ATTEST`. For the field `TPM2_GENERATED magic` of this structure any number can be used in the JSON structure. The verifier can receive a state which does not represent the actual, possibly malicious state of the device under test. The malicious device might get access to data it shouldn't, or can use services it shouldn't be able to. This \nissue has been patched in version 4.1.0.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-29040"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-29040"
        },
        {
          "url": "https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99"
        },
        {
          "url": "https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0"
        },
        {
          "url": "https://github.com/tpm2-software/tpm2-tss/security/advisories/GHSA-837m-jw3m-h9p6"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFR7SVEWCOXORHPCLLGXEMHFMIGG2MFE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GI4JFEZBKQQUPJ4RWK6IHEWXAFCEJDPI/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29040"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6796-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-29040"
        }
      ],
      "published": "2024-06-28T21:15:02+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/tpm2-tss@3.2.3-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.2.3-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/tpm2-tss@3.2.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/tpm2-tss@3.2.3-1.el9?arch=x86_64&distro=redhat-9.8"
        }
      ]
    },
    {
      "id": "CVE-2024-34459",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        122
      ],
      "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-34459"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:26354"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-34459"
        },
        {
          "url": "https://bugzilla.redhat.com/2280532"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280532"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459"
        },
        {
          "url": "https://errata.almalinux.org/8/ALSA-2026-26354.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:26354"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2024-34459.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-26354.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7240-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7302-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-34459"
        }
      ],
      "published": "2024-05-14T15:39:11+00:00",
      "updated": "2025-11-04T22:16:01+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2024-41996",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        295
      ],
      "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-41996"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-41996"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-485750.html"
        },
        {
          "url": "https://dheatattack.gitlab.io/details/"
        },
        {
          "url": "https://dheatattack.gitlab.io/faq/"
        },
        {
          "url": "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1"
        },
        {
          "url": "https://github.com/openssl/openssl/issues/17374"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996"
        },
        {
          "url": "https://openssl-library.org/post/2022-10-21-tls-groups-configuration/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-41996"
        }
      ],
      "published": "2024-08-26T06:15:04+00:00",
      "updated": "2026-05-12T12:17:03+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Java Runtime that executes Confluent                  Platform does not invoke any binaries present in the container. That                 assures that the vulnerable code path in the affected application is not reachable."
      }
    },
    {
      "id": "CVE-2024-7264",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        125
      ],
      "description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-7264"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/07/31/1"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2025:1671"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-7264"
        },
        {
          "url": "https://bugzilla.redhat.com/2294581"
        },
        {
          "url": "https://bugzilla.redhat.com/2294676"
        },
        {
          "url": "https://bugzilla.redhat.com/2301888"
        },
        {
          "url": "https://bugzilla.redhat.com/2318857"
        },
        {
          "url": "https://bugzilla.redhat.com/2318858"
        },
        {
          "url": "https://bugzilla.redhat.com/2318870"
        },
        {
          "url": "https://bugzilla.redhat.com/2318873"
        },
        {
          "url": "https://bugzilla.redhat.com/2318874"
        },
        {
          "url": "https://bugzilla.redhat.com/2318876"
        },
        {
          "url": "https://bugzilla.redhat.com/2318882"
        },
        {
          "url": "https://bugzilla.redhat.com/2318883"
        },
        {
          "url": "https://bugzilla.redhat.com/2318884"
        },
        {
          "url": "https://bugzilla.redhat.com/2318885"
        },
        {
          "url": "https://bugzilla.redhat.com/2318886"
        },
        {
          "url": "https://bugzilla.redhat.com/2318897"
        },
        {
          "url": "https://bugzilla.redhat.com/2318900"
        },
        {
          "url": "https://bugzilla.redhat.com/2318905"
        },
        {
          "url": "https://bugzilla.redhat.com/2318914"
        },
        {
          "url": "https://bugzilla.redhat.com/2318922"
        },
        {
          "url": "https://bugzilla.redhat.com/2318923"
        },
        {
          "url": "https://bugzilla.redhat.com/2318925"
        },
        {
          "url": "https://bugzilla.redhat.com/2318926"
        },
        {
          "url": "https://bugzilla.redhat.com/2318927"
        },
        {
          "url": "https://bugzilla.redhat.com/2331191"
        },
        {
          "url": "https://bugzilla.redhat.com/2339218"
        },
        {
          "url": "https://bugzilla.redhat.com/2339220"
        },
        {
          "url": "https://bugzilla.redhat.com/2339221"
        },
        {
          "url": "https://bugzilla.redhat.com/2339226"
        },
        {
          "url": "https://bugzilla.redhat.com/2339231"
        },
        {
          "url": "https://bugzilla.redhat.com/2339236"
        },
        {
          "url": "https://bugzilla.redhat.com/2339238"
        },
        {
          "url": "https://bugzilla.redhat.com/2339243"
        },
        {
          "url": "https://bugzilla.redhat.com/2339247"
        },
        {
          "url": "https://bugzilla.redhat.com/2339252"
        },
        {
          "url": "https://bugzilla.redhat.com/2339259"
        },
        {
          "url": "https://bugzilla.redhat.com/2339266"
        },
        {
          "url": "https://bugzilla.redhat.com/2339270"
        },
        {
          "url": "https://bugzilla.redhat.com/2339271"
        },
        {
          "url": "https://bugzilla.redhat.com/2339275"
        },
        {
          "url": "https://bugzilla.redhat.com/2339277"
        },
        {
          "url": "https://bugzilla.redhat.com/2339281"
        },
        {
          "url": "https://bugzilla.redhat.com/2339284"
        },
        {
          "url": "https://bugzilla.redhat.com/2339291"
        },
        {
          "url": "https://bugzilla.redhat.com/2339293"
        },
        {
          "url": "https://bugzilla.redhat.com/2339295"
        },
        {
          "url": "https://bugzilla.redhat.com/2339299"
        },
        {
          "url": "https://bugzilla.redhat.com/2339300"
        },
        {
          "url": "https://bugzilla.redhat.com/2339304"
        },
        {
          "url": "https://bugzilla.redhat.com/2339305"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294581"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294676"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301888"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318857"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318858"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318870"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318873"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318874"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318876"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318883"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318886"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318900"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318905"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318914"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318922"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318923"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318925"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318926"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318927"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331191"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339218"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339220"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339221"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339226"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339231"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339236"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339238"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339243"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339247"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339252"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339259"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339266"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339270"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339271"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339275"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339277"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339281"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339284"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339291"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339293"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339295"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339299"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339300"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339304"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339305"
        },
        {
          "url": "https://curl.se/docs/CVE-2024-7264.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2024-7264.json"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21193"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21194"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21196"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21197"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21198"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21199"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21201"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21203"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21212"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21213"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21218"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21219"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21230"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21231"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21236"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21237"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21238"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21239"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21241"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21247"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37371"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21490"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21491"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21494"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21497"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21500"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21501"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21503"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21504"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21505"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21518"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21520"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21521"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21522"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21523"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21525"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21529"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21531"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21534"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21536"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21540"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21543"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21546"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21555"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21559"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2025-1671.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2025:1671"
        },
        {
          "url": "https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519"
        },
        {
          "url": "https://hackerone.com/reports/2629968"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2024-7264.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2025-1673.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7264"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240828-0008/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20241025-0006/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20241025-0010/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6944-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-6944-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7264"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL"
        }
      ],
      "published": "2024-07-31T08:15:02+00:00",
      "updated": "2025-11-03T23:17:31+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2024-9681",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        697
      ],
      "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2024-9681"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/10"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/11"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/12"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/13"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/4"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/5"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/8"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/9"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/11/06/2"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2024-9681"
        },
        {
          "url": "https://curl.se/docs/CVE-2024-9681.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2024-9681.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-g337-g667-mjvw"
        },
        {
          "url": "https://hackerone.com/reports/2764830"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20241213-0006"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20241213-0006/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7104-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-9681"
        }
      ],
      "published": "2024-11-06T08:15:03+00:00",
      "updated": "2025-11-03T21:18:48+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-11468",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        93
      ],
      "description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-11468"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-11468"
        },
        {
          "url": "https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094"
        },
        {
          "url": "https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2"
        },
        {
          "url": "https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6"
        },
        {
          "url": "https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66"
        },
        {
          "url": "https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0"
        },
        {
          "url": "https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796"
        },
        {
          "url": "https://github.com/python/cpython/issues/143935"
        },
        {
          "url": "https://github.com/python/cpython/pull/143936"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11468"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8018-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-11468"
        }
      ],
      "published": "2026-01-20T22:15:50+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-11961",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 1.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N"
        }
      ],
      "cwes": [
        122,
        126
      ],
      "description": "pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer.  The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented.  If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-11961"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-11961"
        },
        {
          "url": "https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11961"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-11961"
        }
      ],
      "published": "2025-12-31T01:15:54+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libpcap@1.10.0-4.el9?arch=x86_64&distro=redhat-9.8&epoch=14",
          "versions": [
            {
              "version": "14:1.10.0-4.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libpcap@1.10.0-4.el9?arch=x86_64&distro=redhat-9.8&epoch=14"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-12781",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
        }
      ],
      "cwes": [
        704
      ],
      "description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.\n\n\n\n\nThis behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.\n\n\n\n\nThe attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python.\u00a0Users are recommended to mitigate by verifying user-controlled inputs match the base64 \nalphabet they are expecting or verify that their application would not be \naffected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-12781"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-12781"
        },
        {
          "url": "https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b"
        },
        {
          "url": "https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947"
        },
        {
          "url": "https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5"
        },
        {
          "url": "https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76"
        },
        {
          "url": "https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5"
        },
        {
          "url": "https://github.com/python/cpython/issues/125346"
        },
        {
          "url": "https://github.com/python/cpython/pull/141128"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12781"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-12781"
        }
      ],
      "published": "2026-01-21T20:16:04+00:00",
      "updated": "2026-02-02T17:25:23+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-13034",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        295
      ],
      "description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`\nwith the curl tool,curl should check the public key of the server certificate\nto verify the peer.\n\nThis check was skipped in a certain condition that would then make curl allow\nthe connection without performing the proper check, thus not noticing a\npossible impostor. To skip this check, the connection had to be done with QUIC\nwith ngtcp2 built to use GnuTLS and the user had to explicitly disable the\nstandard certificate verification.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-13034"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-13034"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-13034.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-13034.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-9r76-qj98-jfhc"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13034"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8062-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13034"
        }
      ],
      "published": "2026-01-08T10:15:45+00:00",
      "updated": "2026-01-20T14:54:02+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-13151",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787
      ],
      "description": "Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-13151"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/01/08/5"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-13151"
        },
        {
          "url": "https://gitlab.com/gnutls/libtasn1"
        },
        {
          "url": "https://gitlab.com/gnutls/libtasn1/-/merge_requests/121"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13151"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7954-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7954-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13151"
        },
        {
          "url": "https://www.kb.cert.org/vuls/id/271649"
        }
      ],
      "published": "2026-01-07T22:15:43+00:00",
      "updated": "2026-02-02T19:27:23+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "4.16.0-9.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libtasn1@4.16.0-9.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-13462",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        20,
        74,
        434
      ],
      "description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-13462"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-13462"
        },
        {
          "url": "https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab"
        },
        {
          "url": "https://github.com/python/cpython/commit/72dde1016493c52abe857fc4a7bf6c40138b4114"
        },
        {
          "url": "https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017"
        },
        {
          "url": "https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406"
        },
        {
          "url": "https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7"
        },
        {
          "url": "https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084"
        },
        {
          "url": "https://github.com/python/cpython/issues/141707"
        },
        {
          "url": "https://github.com/python/cpython/pull/143934"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13462"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13462"
        }
      ],
      "published": "2026-03-12T18:16:21+00:00",
      "updated": "2026-06-11T14:29:37+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-1371",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        404,
        476
      ],
      "description": "A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-1371"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-1371"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1371"
        },
        {
          "url": "https://sourceware.org/bugzilla/attachment.cgi?id=15926"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32655"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32655#c2"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7369-1"
        },
        {
          "url": "https://vuldb.com/?ctiid.295978"
        },
        {
          "url": "https://vuldb.com/?id.295978"
        },
        {
          "url": "https://vuldb.com/?submit.496484"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1371"
        },
        {
          "url": "https://www.gnu.org/"
        }
      ],
      "published": "2025-02-17T03:15:09+00:00",
      "updated": "2025-11-04T20:13:36+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-1376",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        404
      ],
      "description": "A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-1376"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-1376"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1376"
        },
        {
          "url": "https://sourceware.org/bugzilla/attachment.cgi?id=15940"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32672"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32672#c3"
        },
        {
          "url": "https://vuldb.com/?ctiid.295984"
        },
        {
          "url": "https://vuldb.com/?id.295984"
        },
        {
          "url": "https://vuldb.com/?submit.497538"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1376"
        },
        {
          "url": "https://www.gnu.org/"
        }
      ],
      "published": "2025-02-17T05:15:09+00:00",
      "updated": "2026-06-02T14:16:29+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-1377",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        404
      ],
      "description": "A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-1377"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-1377"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1377"
        },
        {
          "url": "https://sourceware.org/bugzilla/attachment.cgi?id=15941"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32673"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32673#c2"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7369-1"
        },
        {
          "url": "https://vuldb.com/?ctiid.295985"
        },
        {
          "url": "https://vuldb.com/?id.295985"
        },
        {
          "url": "https://vuldb.com/?submit.497539"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1377"
        },
        {
          "url": "https://www.gnu.org/"
        }
      ],
      "published": "2025-02-17T05:15:10+00:00",
      "updated": "2025-11-04T20:26:20+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.194-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-default-yama-scope@0.194-1.el9?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-libelf@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/elfutils-libs@0.194-1.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-13837",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        400
      ],
      "description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-13837"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19177"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-13837"
        },
        {
          "url": "https://bugzilla.redhat.com/2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13837"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15282"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6075"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0672"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1502"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2297"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3644"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4224"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4786"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6100"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19177.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19177"
        },
        {
          "url": "https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036"
        },
        {
          "url": "https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b"
        },
        {
          "url": "https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70"
        },
        {
          "url": "https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba"
        },
        {
          "url": "https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb"
        },
        {
          "url": "https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111"
        },
        {
          "url": "https://github.com/python/cpython/issues/119342"
        },
        {
          "url": "https://github.com/python/cpython/pull/119343"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2025-13837.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-10950.html"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13837"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8018-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13837"
        }
      ],
      "published": "2025-12-01T18:16:04+00:00",
      "updated": "2026-03-03T15:16:14+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-14017",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 6.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-14017"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/01/07/3"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-14017"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-14017.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-14017.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-jh4h-2cg6-889h"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14017"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8062-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8062-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-14017"
        }
      ],
      "published": "2026-01-08T10:15:45+00:00",
      "updated": "2026-01-27T21:29:39+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-14524",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        601
      ],
      "description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-14524"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/01/07/4"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-14524"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-14524.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-14524.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-g897-jvjx-78vg"
        },
        {
          "url": "https://hackerone.com/reports/3459417"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14524"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8062-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-14524"
        }
      ],
      "published": "2026-01-08T10:15:46+00:00",
      "updated": "2026-01-20T14:53:11+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-15079",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 8.1,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        297
      ],
      "description": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-15079"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/01/07/6"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-15079"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-15079.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-15079.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-7q9p-cx8r-rh2q"
        },
        {
          "url": "https://hackerone.com/reports/3477116"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15079"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8062-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8062-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-15079"
        }
      ],
      "published": "2026-01-08T10:15:47+00:00",
      "updated": "2026-01-20T14:50:24+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2025-15224",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 3.1,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        287
      ],
      "description": "When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-15224"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/01/07/7"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-15224"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-15224.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2025-15224.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-hccr-q52r-4w88"
        },
        {
          "url": "https://hackerone.com/reports/3480925"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15224"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8062-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8062-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-15224"
        }
      ],
      "published": "2026-01-08T10:15:47+00:00",
      "updated": "2026-01-20T14:47:52+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-15282",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        93
      ],
      "description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-15282"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19177"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-15282"
        },
        {
          "url": "https://bugzilla.redhat.com/2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13837"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15282"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6075"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0672"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1502"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2297"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3644"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4224"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4786"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6100"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19177.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19177"
        },
        {
          "url": "https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0"
        },
        {
          "url": "https://github.com/python/cpython/commit/34d76b00dabde81a793bd06dd8ecb057838c4b38"
        },
        {
          "url": "https://github.com/python/cpython/commit/3f396ca9d7bbe2a50ea6b8c9b27c0082884d9f80"
        },
        {
          "url": "https://github.com/python/cpython/commit/4ed11d3cd288e6b90196a15c5a825a45d318fe47"
        },
        {
          "url": "https://github.com/python/cpython/commit/a35ca3be5842505dab74dc0b90b89cde0405017a"
        },
        {
          "url": "https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f"
        },
        {
          "url": "https://github.com/python/cpython/issues/143925"
        },
        {
          "url": "https://github.com/python/cpython/pull/143926"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2025-15282.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-10950.html"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15282"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8018-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8018-3"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-15282"
        }
      ],
      "published": "2026-01-20T22:15:50+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-1632",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        404,
        476
      ],
      "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-1632"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-1632"
        },
        {
          "url": "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7454-1"
        },
        {
          "url": "https://vuldb.com/?ctiid.296619"
        },
        {
          "url": "https://vuldb.com/?id.296619"
        },
        {
          "url": "https://vuldb.com/?submit.496460"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1632"
        }
      ],
      "published": "2025-02-24T14:15:11+00:00",
      "updated": "2025-03-25T15:41:41+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-1795",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.1,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        116
      ],
      "description": "During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-1795"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-1795"
        },
        {
          "url": "https://github.com/python/cpython/commit/09fab93c3d857496c0bd162797fab816c311ee48"
        },
        {
          "url": "https://github.com/python/cpython/commit/70754d21c288535e86070ca7a6e90dcb670b8593"
        },
        {
          "url": "https://github.com/python/cpython/commit/9148b77e0af91cdacaa7fe3dfac09635c3fe9a74"
        },
        {
          "url": "https://github.com/python/cpython/commit/a4ef689ce670684ec132204b1cd03720c8e0a03d"
        },
        {
          "url": "https://github.com/python/cpython/commit/d4df3c55e4c5513947f907f24766b34d2ae8c090"
        },
        {
          "url": "https://github.com/python/cpython/issues/100884"
        },
        {
          "url": "https://github.com/python/cpython/pull/100885"
        },
        {
          "url": "https://github.com/python/cpython/pull/119099"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00013.html"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1795"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7570-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1795"
        }
      ],
      "published": "2025-02-28T19:15:36+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-27113",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "bitnami"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.1,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        476
      ],
      "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-27113"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/10"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/11"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/12"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/13"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/4"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/5"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/8"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2025/Apr/9"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-27113"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20250306-0004/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7302-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-27113"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2025/02/18/2"
        }
      ],
      "published": "2025-02-18T23:15:10+00:00",
      "updated": "2025-11-03T22:18:43+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-28164",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        401,
        120
      ],
      "description": "Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-28164"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-28164"
        },
        {
          "url": "https://gist.github.com/kittener/506516f8c22178005b4379c8b2a7de20"
        },
        {
          "url": "https://github.com/pnggroup/libpng/issues/655"
        },
        {
          "url": "https://github.com/pnggroup/libpng/pull/657"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28164"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7993-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-28164"
        }
      ],
      "published": "2026-01-27T16:16:14+00:00",
      "updated": "2026-03-04T19:42:07+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.6.37-15.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-30258",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        754
      ],
      "description": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-30258"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-30258"
        },
        {
          "url": "https://dev.gnupg.org/T7527"
        },
        {
          "url": "https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158"
        },
        {
          "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30258"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7412-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7412-3"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-30258"
        }
      ],
      "published": "2025-03-19T20:15:20+00:00",
      "updated": "2025-10-16T16:53:07+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.3.3-5.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-3360",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        190
      ],
      "description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-3360"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-3360"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2357754"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00024.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3360"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7942-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7942-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-3360"
        }
      ],
      "published": "2025-04-07T13:15:43+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.68.4-19.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-4516",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        416
      ],
      "description": "There is an issue in CPython when using `bytes.decode(\"unicode_escape\", error=\"ignore|replace\")`. If you are not using the \"unicode_escape\" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-4516"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2025/05/16/4"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2025/05/19/1"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2025:23530"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-4516"
        },
        {
          "url": "https://bugzilla.redhat.com/2294682"
        },
        {
          "url": "https://bugzilla.redhat.com/2321440"
        },
        {
          "url": "https://bugzilla.redhat.com/2325776"
        },
        {
          "url": "https://bugzilla.redhat.com/2343237"
        },
        {
          "url": "https://bugzilla.redhat.com/2366509"
        },
        {
          "url": "https://bugzilla.redhat.com/2370010"
        },
        {
          "url": "https://bugzilla.redhat.com/2370014"
        },
        {
          "url": "https://bugzilla.redhat.com/2370016"
        },
        {
          "url": "https://bugzilla.redhat.com/2372426"
        },
        {
          "url": "https://bugzilla.redhat.com/2373234"
        },
        {
          "url": "https://bugzilla.redhat.com/2402342"
        },
        {
          "url": "https://bugzilla.redhat.com/2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294682"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321440"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325776"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343237"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366509"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370010"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370014"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370016"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372426"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373234"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402342"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11168"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5642"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9287"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0938"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4138"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4330"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4435"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4516"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4517"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6069"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6075"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8291"
        },
        {
          "url": "https://errata.almalinux.org/8/ALSA-2025-23530.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2025:23530"
        },
        {
          "url": "https://github.com/python/cpython/commit/4398b788ffc1f954a2c552da285477d42a571292"
        },
        {
          "url": "https://github.com/python/cpython/commit/5646648678295a44aa82636c6e92826651baf33a"
        },
        {
          "url": "https://github.com/python/cpython/commit/6279eb8c076d89d3739a6edb393e43c7929b429d"
        },
        {
          "url": "https://github.com/python/cpython/commit/69b4387f78f413e8c47572a85b3478c47eba8142"
        },
        {
          "url": "https://github.com/python/cpython/commit/73b3040f592436385007918887b7e2132aa8431f"
        },
        {
          "url": "https://github.com/python/cpython/commit/8d35fd1b34935221aff23a1ab69a429dd156be77"
        },
        {
          "url": "https://github.com/python/cpython/commit/9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e"
        },
        {
          "url": "https://github.com/python/cpython/commit/9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e"
        },
        {
          "url": "https://github.com/python/cpython/commit/ab9893c40609935e0d40a6d2a7307ea51aec598b"
        },
        {
          "url": "https://github.com/python/cpython/issues/133767"
        },
        {
          "url": "https://github.com/python/cpython/pull/129648"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2025-4516.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2025-23530.html"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/L75IPBBTSCYEF56I2M4KIW353BB3AY74/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4516"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7570-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-4516"
        }
      ],
      "published": "2025-05-15T14:15:31+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-50181",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        601
      ],
      "description": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-50181"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-50181"
        },
        {
          "url": "https://github.com/urllib3/urllib3"
        },
        {
          "url": "https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857"
        },
        {
          "url": "https://github.com/urllib3/urllib3/releases/tag/2.5.0"
        },
        {
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50181"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7599-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7599-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-50181"
        }
      ],
      "published": "2025-06-19T01:15:24+00:00",
      "updated": "2025-12-22T19:15:49+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "21.3.1-2.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        }
      ]
    },
    {
      "id": "CVE-2025-50182",
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        601
      ],
      "description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-50182"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-50182"
        },
        {
          "url": "https://github.com/urllib3/urllib3"
        },
        {
          "url": "https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f"
        },
        {
          "url": "https://github.com/urllib3/urllib3/releases/tag/2.5.0"
        },
        {
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50182"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7599-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-50182"
        }
      ],
      "published": "2025-06-19T02:15:17+00:00",
      "updated": "2025-12-22T19:15:49+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "21.3.1-2.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2025-5278",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"
        }
      ],
      "cwes": [
        121
      ],
      "description": "A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-5278"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2025/05/27/2"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2025/05/29/1"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2025/05/29/2"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-5278"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368764"
        },
        {
          "url": "https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633"
        },
        {
          "url": "https://cgit.git.savannah.gnu.org/cgit/coreutils.git/tree/NEWS?id=8c9602e3a145e9596dc1a63c6ed67865814b6633#n14"
        },
        {
          "url": "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5278"
        },
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2025-5278"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-5278"
        }
      ],
      "published": "2025-05-27T21:15:23+00:00",
      "updated": "2026-05-19T17:16:21+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/coreutils-single@8.32-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "8.32-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "8.32-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "8.32-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/coreutils-single@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/coreutils-single@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/coreutils-common@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/coreutils@8.32-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-5915",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.6,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        122
      ],
      "description": "A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-5915"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-5915"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370865"
        },
        {
          "url": "https://github.com/libarchive/libarchive/pull/2599"
        },
        {
          "url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5915"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7601-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-5915"
        }
      ],
      "published": "2025-06-09T20:15:26+00:00",
      "updated": "2026-01-08T04:15:55+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-5916",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        190
      ],
      "description": "A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. This bug affects libarchive versions prior to 3.8.0.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-5916"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-5916"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370872"
        },
        {
          "url": "https://github.com/libarchive/libarchive/pull/2568"
        },
        {
          "url": "https://github.com/libarchive/libarchive/pull/2568/commits/bce70c4c26864df2a8d6953e7db6e4b156253508"
        },
        {
          "url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5916"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7601-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8147-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-5916"
        }
      ],
      "published": "2025-06-09T20:15:27+00:00",
      "updated": "2025-12-12T01:15:46+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-5917",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.8,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787
      ],
      "description": "A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. This bug affects libarchive versions prior to 3.8.0.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-5917"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-5917"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370874"
        },
        {
          "url": "https://github.com/libarchive/libarchive/pull/2588"
        },
        {
          "url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5917"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7601-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8147-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-5917"
        }
      ],
      "published": "2025-06-09T20:15:27+00:00",
      "updated": "2025-12-12T01:15:46+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-5918",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        125
      ],
      "description": "A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-5918"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-5918"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370877"
        },
        {
          "url": "https://github.com/libarchive/libarchive/pull/2584"
        },
        {
          "url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5918"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8147-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-5918"
        }
      ],
      "published": "2025-06-09T20:15:27+00:00",
      "updated": "2025-08-15T18:35:04+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-60753",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        400,
        835
      ],
      "description": "An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-60753"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-60753"
        },
        {
          "url": "https://github.com/Papya-j/CVE/tree/main/CVE-2025-60753"
        },
        {
          "url": "https://github.com/libarchive/libarchive/issues/2725"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60753"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8147-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-60753"
        }
      ],
      "published": "2025-11-05T16:15:40+00:00",
      "updated": "2026-02-04T21:19:45+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-6170",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 2.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        121
      ],
      "description": "A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-6170"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:7519"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-6170"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372952"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/941"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6170"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7694-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-6170"
        }
      ],
      "published": "2025-06-16T16:15:20+00:00",
      "updated": "2026-06-02T14:16:38+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-64118",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "cwes": [
        362,
        367
      ],
      "description": "node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-64118"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-64118"
        },
        {
          "url": "https://github.com/isaacs/node-tar"
        },
        {
          "url": "https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d"
        },
        {
          "url": "https://github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9"
        },
        {
          "url": "https://github.com/isaacs/node-tar/issues/445"
        },
        {
          "url": "https://github.com/isaacs/node-tar/pull/446"
        },
        {
          "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64118"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-64118"
        }
      ],
      "published": "2025-10-30T18:15:33+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.34-11.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-64505",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        125
      ],
      "description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-64505"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-64505"
        },
        {
          "url": "https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37"
        },
        {
          "url": "https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37"
        },
        {
          "url": "https://github.com/pnggroup/libpng/pull/748"
        },
        {
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64505"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7924-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8081-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-64505"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2025/11/22/1"
        }
      ],
      "published": "2025-11-25T00:15:47+00:00",
      "updated": "2025-11-26T18:28:32+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.6.37-15.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-64506",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        125
      ],
      "description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-64506"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-64506"
        },
        {
          "url": "https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821"
        },
        {
          "url": "https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821"
        },
        {
          "url": "https://github.com/pnggroup/libpng/pull/749"
        },
        {
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64506"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7924-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-64506"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2025/11/22/1"
        }
      ],
      "published": "2025-11-25T00:15:47+00:00",
      "updated": "2025-11-26T18:34:38+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.6.37-15.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-66382",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        407
      ],
      "description": "In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-66382"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2025/12/02/1"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-66382"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://github.com/libexpat/libexpat/issues/1076"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66382"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-66382"
        }
      ],
      "published": "2025-11-28T07:15:57+00:00",
      "updated": "2026-06-02T14:16:37+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.5.0-6.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-68972",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
        }
      ],
      "cwes": [
        347
      ],
      "description": "In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-68972"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-68972"
        },
        {
          "url": "https://github.com/advisories/GHSA-w789-3q45-984r"
        },
        {
          "url": "https://gpg.fail/formfeed"
        },
        {
          "url": "https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i"
        },
        {
          "url": "https://news.ycombinator.com/item?id=46404339"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68972"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-68972"
        }
      ],
      "published": "2025-12-27T23:15:40+00:00",
      "updated": "2026-01-09T20:08:47+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.3.3-5.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-7039",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        22
      ],
      "description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-7039"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-7039"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392423"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3716"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7039"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7942-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7942-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-7039"
        }
      ],
      "published": "2025-09-03T02:15:38+00:00",
      "updated": "2026-06-02T14:16:39+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.68.4-19.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-70873",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "bitnami"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
        }
      ],
      "cwes": [
        244
      ],
      "description": "An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-70873"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-70873"
        },
        {
          "url": "https://gist.github.com/cnwangjihe/f496393f30f5ecec5b18c8f5ab072054"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70873"
        },
        {
          "url": "https://sqlite.org/forum/forumpost/761eac3c82"
        },
        {
          "url": "https://sqlite.org/src/info/3d459f1fb1bd1b5e"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-70873"
        }
      ],
      "published": "2026-03-12T19:16:15+00:00",
      "updated": "2026-04-16T21:15:47+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.34.1-10.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/sqlite-libs@3.34.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2025-9232",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.1,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        125
      ],
      "description": "Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the 'no_proxy' environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na 'no_proxy' environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-9232"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2025/09/30/5"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-9232"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-485750.html"
        },
        {
          "url": "https://github.com/advisories/GHSA-76r2-c3cg-f5r9"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/2b4ec20e47959170422922eaff25346d362dcb35"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/654dc11d23468a74fc8ea4672b702dd3feb7be4b"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7cf21a30513c9e43c4bc3836c237cf086e194af3"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/89e790ac431125a4849992858490bed6b225eadf"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/bbf38c034cdabd0a13330abcc4855c866f53d2e0"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9232"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20250930.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7786-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7894-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-9232"
        }
      ],
      "published": "2025-09-30T14:15:41+00:00",
      "updated": "2026-06-02T14:16:41+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-0672",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        93
      ],
      "description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-0672"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19177"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-0672"
        },
        {
          "url": "https://bugzilla.redhat.com/2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13837"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15282"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6075"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0672"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1502"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2297"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3644"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4224"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4786"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6100"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19177.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19177"
        },
        {
          "url": "https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172"
        },
        {
          "url": "https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440"
        },
        {
          "url": "https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d"
        },
        {
          "url": "https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca"
        },
        {
          "url": "https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70"
        },
        {
          "url": "https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85"
        },
        {
          "url": "https://github.com/python/cpython/issues/143919"
        },
        {
          "url": "https://github.com/python/cpython/pull/143920"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2026-0672.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-10950.html"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0672"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8018-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8018-3"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-0672"
        }
      ],
      "published": "2026-01-20T22:15:52+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-0988",
      "ratings": [
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        190
      ],
      "description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-0988"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:7461"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-0988"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429886"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3851"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0988"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7971-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-0988"
        }
      ],
      "published": "2026-01-21T12:15:55+00:00",
      "updated": "2026-04-24T21:16:17+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.68.4-19.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-0989",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        674
      ],
      "description": "A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-0989"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:7519"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-0989"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429933"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/998"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0989"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7974-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-0989"
        }
      ],
      "published": "2026-01-15T15:15:52+00:00",
      "updated": "2026-04-22T10:16:49+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-0990",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        674
      ],
      "description": "A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-0990"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:7519"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-0990"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429959"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0990"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7974-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-0990"
        }
      ],
      "published": "2026-01-15T15:15:52+00:00",
      "updated": "2026-04-22T10:16:50+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-0992",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        400
      ],
      "description": "A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-0992"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:7519"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-0992"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429975"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0992"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-7974-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-0992"
        }
      ],
      "published": "2026-01-15T15:15:52+00:00",
      "updated": "2026-04-22T10:16:50+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-11850",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H"
        }
      ],
      "cwes": [
        191
      ],
      "description": "An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read.\nThe attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-11850"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25520"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-11850"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459970"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11850"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-11850"
        }
      ],
      "published": "2026-06-11T10:16:21+00:00",
      "updated": "2026-06-12T15:16:24+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/krb5-libs@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.21.1-10.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/krb5-pkinit@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.21.1-10.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/krb5-workstation@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.21.1-10.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libkadm5@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.21.1-10.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/krb5-libs@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/krb5-libs@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/krb5-pkinit@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/krb5-workstation@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libkadm5@1.21.1-10.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-1484",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.2,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787
      ],
      "description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-1484"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-1484"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433259"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3870"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1484"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8017-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1484"
        }
      ],
      "published": "2026-01-27T14:15:56+00:00",
      "updated": "2026-06-02T14:16:45+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.68.4-19.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-1485",
      "ratings": [
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.8,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        124
      ],
      "description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-1485"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-1485"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433325"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3871"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1485"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8017-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1485"
        }
      ],
      "published": "2026-01-27T14:15:56+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.68.4-19.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-1489",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787
      ],
      "description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-1489"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-1489"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433348"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3872"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1489"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8017-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1489"
        }
      ],
      "published": "2026-01-27T15:15:57+00:00",
      "updated": "2026-06-02T14:16:45+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.68.4-19.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glib2@2.68.4-19.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-1502",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        }
      ],
      "cwes": [
        93
      ],
      "description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-1502"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/11/4"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19177"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-1502"
        },
        {
          "url": "https://bugzilla.redhat.com/2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13837"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15282"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6075"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0672"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1502"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2297"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3644"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4224"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4786"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6100"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19177.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19177"
        },
        {
          "url": "https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69"
        },
        {
          "url": "https://github.com/python/cpython/commit/9e071c9b28c17f347f81b388a003d4eeb3c7a8dd"
        },
        {
          "url": "https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed"
        },
        {
          "url": "https://github.com/python/cpython/commit/c00c386faa579ad71196d33408644478488e43ec"
        },
        {
          "url": "https://github.com/python/cpython/issues/146211"
        },
        {
          "url": "https://github.com/python/cpython/pull/146212"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2026-1502.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-10950.html"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1502"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1502"
        }
      ],
      "published": "2026-04-10T18:16:40+00:00",
      "updated": "2026-06-04T15:16:50+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-1757",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.2,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        401
      ],
      "description": "A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-1757"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:7519"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-1757"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435940"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1757"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1757"
        }
      ],
      "published": "2026-02-02T13:15:58+00:00",
      "updated": "2026-04-22T10:16:50+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-1965",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        305
      ],
      "description": "libcurl can in some circumstances reuse the wrong connection when asked to do\nan Negotiate-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNegotiate sometimes authenticates *connections* and not *requests*, contrary\nto how HTTP is designed to work.\n\nAn application that allows Negotiate authentication to a server (that responds\nwanting Negotiate) with `user1:password1` and then does another operation to\nthe same server also using Negotiate but with `user2:password2` (while the\nprevious connection is still alive) - the second request wrongly reused the\nsame connection and since it then sees that the Negotiate negotiation is\nalready made, it just sends the request over that connection thinking it uses\nthe user2 credentials when it is in fact still using the connection\nauthenticated for user1...\n\nThe set of authentication methods to use is set with  `CURLOPT_HTTPAUTH`.\n\nApplications can disable libcurl's reuse of connections and thus mitigate this\nproblem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API).",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-1965"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-1965"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-1965.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-1965.json"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1965"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8084-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8099-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1965"
        }
      ],
      "published": "2026-03-11T11:15:59+00:00",
      "updated": "2026-03-12T14:11:19+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-22020",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        }
      ],
      "description": "The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* JDK: Enhance crypto algorithm support (CVE-2026-22007)\n\n* JDK: Improve Kerberos credentialing (CVE-2026-22013)\n\n* JDK: Enhance Path Factories Redux (CVE-2026-22016)\n\n* JDK: Enhance Zip file reading (CVE-2026-22018)\n\n* JDK: Enhance certificate chain validation (CVE-2026-22021)\n\n* JDK: Updating FreeType 2.14.1 (CVE-2026-23865)\n\n* JDK: Enhance TLS connection handling (CVE-2026-34282)\n\n* JDK: Enhance key generation (CVE-2026-34268)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-22020"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418711"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438542"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448747"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460038"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460039"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460040"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460041"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460042"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460043"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460044"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460045"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66293"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22007"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22013"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22016"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22018"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22020"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22021"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23865"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25646"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26740"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34268"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34282"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:9686"
        }
      ],
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.6.37-15.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-22185",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        125,
        191
      ],
      "description": "OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-22185"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-22185"
        },
        {
          "url": "https://bugs.openldap.org/show_bug.cgi?id=10421"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22185"
        },
        {
          "url": "https://seclists.org/fulldisclosure/2026/Jan/5"
        },
        {
          "url": "https://seclists.org/fulldisclosure/2026/Jan/8"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-22185"
        },
        {
          "url": "https://www.openldap.org/"
        },
        {
          "url": "https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline"
        }
      ],
      "published": "2026-01-07T21:16:01+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openldap@2.6.8-4.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.6.8-4.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openldap@2.6.8-4.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openldap@2.6.8-4.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-22693",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        476
      ],
      "description": "HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-22693"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/01/11/1"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/01/12/1"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-22693"
        },
        {
          "url": "https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae"
        },
        {
          "url": "https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22693"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-22693"
        }
      ],
      "published": "2026-01-10T06:15:52+00:00",
      "updated": "2026-02-18T17:49:22+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.7.4-10.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/harfbuzz@2.7.4-10.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-2297",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        668
      ],
      "description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-2297"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/03/05/6"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19177"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-2297"
        },
        {
          "url": "https://bugzilla.redhat.com/2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13837"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15282"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6075"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0672"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1502"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2297"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3644"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4224"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4786"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6100"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19177.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19177"
        },
        {
          "url": "https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e"
        },
        {
          "url": "https://github.com/python/cpython/commit/69ddd9bb2cc4bd69b1565647c18659c6a789ccd9"
        },
        {
          "url": "https://github.com/python/cpython/commit/876858c9f65d9ab656c7fa639f268ce7856d89dd"
        },
        {
          "url": "https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e"
        },
        {
          "url": "https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86"
        },
        {
          "url": "https://github.com/python/cpython/issues/145506"
        },
        {
          "url": "https://github.com/python/cpython/pull/145507"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2026-2297.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-10950.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2297"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2297"
        }
      ],
      "published": "2026-03-04T23:16:10+00:00",
      "updated": "2026-05-01T16:16:30+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-23865",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "bitnami"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 4.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        125
      ],
      "description": "An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-23865"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/03/03/8"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:9693"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-23865"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460038"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460039"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460040"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460041"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460042"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460043"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460044"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22007"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22013"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22016"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22018"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22021"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23865"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34268"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34282"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-9693.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:9689"
        },
        {
          "url": "https://github.com/advisories/GHSA-878v-mxg6-vj8f"
        },
        {
          "url": "https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2026-23865.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-9693.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23865"
        },
        {
          "url": "https://sourceforge.net/projects/freetype/files/freetype2/2.14.2"
        },
        {
          "url": "https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8086-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8327-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8328-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8330-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8331-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8332-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8333-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8334-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8339-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8341-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-23865"
        },
        {
          "url": "https://www.facebook.com/security/advisories/cve-2026-23865"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2026.html#AppendixJAVA"
        }
      ],
      "published": "2026-03-02T17:16:32+00:00",
      "updated": "2026-05-01T17:41:13+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.10.4-10.el9_5",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/freetype@2.10.4-10.el9_5?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-24515",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 2.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        476
      ],
      "description": "In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-24515"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-24515"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1131"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24515"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8022-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8022-2"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8023-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-24515"
        }
      ],
      "published": "2026-01-23T08:16:01+00:00",
      "updated": "2026-06-02T14:16:49+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.5.0-6.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-24883",
      "ratings": [
        {
          "source": {
            "name": "julia"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        476
      ],
      "description": "In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-24883"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-24883"
        },
        {
          "url": "https://dev.gnupg.org/T8049"
        },
        {
          "url": "https://github.com/advisories/GHSA-7246-cvp4-g68w"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24883"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-24883"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/01/27/8"
        }
      ],
      "published": "2026-01-27T19:16:16+00:00",
      "updated": "2026-02-06T18:06:07+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.3.3-5.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/gnupg2@2.3.3-5.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-25068",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        129
      ],
      "description": "alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-25068"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-25068"
        },
        {
          "url": "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00008.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25068"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8044-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8044-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-25068"
        },
        {
          "url": "https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow"
        }
      ],
      "published": "2026-01-29T20:16:10+00:00",
      "updated": "2026-04-15T00:35:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.2.15.3-1.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/alsa-lib@1.2.15.3-1.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-25645",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 4.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"
        }
      ],
      "cwes": [
        377
      ],
      "description": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.",
      "recommendation": "; Upgrade requests to version 2.33.0",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-25645"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-25645"
        },
        {
          "url": "https://github.com/psf/requests"
        },
        {
          "url": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"
        },
        {
          "url": "https://github.com/psf/requests/releases/tag/v2.33.0"
        },
        {
          "url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25645"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-25645"
        }
      ],
      "published": "2026-03-25T17:16:52+00:00",
      "updated": "2026-03-30T14:23:16+00:00",
      "affects": [
        {
          "ref": "pkg:pypi/requests@2.32.5",
          "versions": [
            {
              "version": "2.32.5",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "21.3.1-2.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:pypi/requests@2.32.5"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-2673",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        757
      ],
      "description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers.  The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security.  Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-2673"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/03/13/3"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-2673"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
        },
        {
          "url": "https://github.com/advisories/GHSA-wj64-gh9j-xm82"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2673"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260313.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2673"
        }
      ],
      "published": "2026-03-13T19:54:34+00:00",
      "updated": "2026-06-05T19:48:51+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.0.7-8.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.0.7-8.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-27171",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 2.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        1284
      ],
      "description": "zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-27171"
        },
        {
          "url": "https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit"
        },
        {
          "url": "https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/"
        },
        {
          "url": "https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-27171"
        },
        {
          "url": "https://github.com/advisories/GHSA-h858-mf2m-8jf4"
        },
        {
          "url": "https://github.com/madler/zlib/issues/904"
        },
        {
          "url": "https://github.com/madler/zlib/releases/tag/v1.3.2"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27171"
        },
        {
          "url": "https://ostif.org/zlib-audit-complete"
        },
        {
          "url": "https://ostif.org/zlib-audit-complete/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27171"
        }
      ],
      "published": "2026-02-18T04:16:01+00:00",
      "updated": "2026-03-25T21:27:04+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.2.11-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/zlib@1.2.11-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-27456",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 4.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        59,
        269,
        367
      ],
      "description": "util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-27456"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-27456"
        },
        {
          "url": "https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4"
        },
        {
          "url": "https://github.com/util-linux/util-linux/releases/tag/v2.41.4"
        },
        {
          "url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27456"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27456"
        }
      ],
      "published": "2026-04-03T22:16:25+00:00",
      "updated": "2026-04-22T16:08:55+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.37.4-25.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libfdisk@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.37.4-25.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.37.4-25.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libsmartcols@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.37.4-25.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.37.4-25.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/util-linux-core@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.37.4-25.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/util-linux@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.37.4-25.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libfdisk@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libsmartcols@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/util-linux-core@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/util-linux@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libfdisk@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libsmartcols@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/util-linux-core@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/util-linux@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libblkid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libmount@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libuuid@2.37.4-25.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-28387",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 8.1,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        416
      ],
      "description": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based\nserver authentication, when paired with uncommon server DANE TLSA records, may\nresult in a use-after-free and/or double-free on the client side.\n\nImpact summary: A use after free can have a range of potential consequences\nsuch as the corruption of valid data, crashes or execution of arbitrary code.\n\nHowever, the issue only affects clients that make use of TLSA records with both\nthe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate\nusage.\n\nBy far the most common deployment of DANE is in SMTP MTAs for which RFC7672\nrecommends that clients treat as 'unusable' any TLSA records that have the PKIX\ncertificate usages.  These SMTP (or other similar) clients are not vulnerable\nto this issue.  Conversely, any clients that support only the PKIX usages, and\nignore the DANE-TA(2) usage are also not vulnerable.\n\nThe client would also need to be communicating with a server that publishes a\nTLSA RRset with both types of TLSA records.\n\nNo FIPS modules are affected by this issue, the problem code is outside the\nFIPS module boundary.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-28387"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-28387"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28387"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260407.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-28387"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/04/07/11"
        }
      ],
      "published": "2026-04-07T22:16:20+00:00",
      "updated": "2026-05-12T13:17:33+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-28388",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        476
      ],
      "description": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension\nis processed a NULL pointer dereference might happen if the required CRL\nNumber extension is missing.\n\nImpact summary: A NULL pointer dereference can trigger a crash which\nleads to a Denial of Service for an application.\n\nWhen CRL processing and delta CRL processing is enabled during X.509\ncertificate verification, the delta CRL processing does not check\nwhether the CRL Number extension is NULL before dereferencing it.\nWhen a malformed delta CRL file is being processed, this parameter\ncan be NULL, causing a NULL pointer dereference.\n\nExploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in\nthe verification context, the certificate being verified to contain a\nfreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and\nan attacker to provide a malformed CRL to an application that processes it.\n\nThe vulnerability is limited to Denial of Service and cannot be escalated to\nachieve code execution or memory disclosure. For that reason the issue was\nassessed as Low severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-28388"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-28388"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28388"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260407.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-28388"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/04/07/11"
        }
      ],
      "published": "2026-04-07T22:16:20+00:00",
      "updated": "2026-05-12T13:17:33+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-28389",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        476
      ],
      "description": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-28389"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-28389"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
        },
        {
          "url": "https://github.com/advisories/GHSA-7x88-9hgc-69gf"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28389"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260407.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-28389"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/04/07/11"
        }
      ],
      "published": "2026-04-07T22:16:21+00:00",
      "updated": "2026-05-12T13:17:33+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-31789",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 9.8,
          "severity": "critical",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "critical"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.8,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        787
      ],
      "description": "Issue summary: Converting an excessively large OCTET STRING value to\na hexadecimal string leads to a heap buffer overflow on 32 bit platforms.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nan attacker controlled code execution or other undefined behavior.\n\nIf an attacker can supply a crafted X.509 certificate with an excessively\nlarge OCTET STRING value in extensions such as the Subject Key Identifier\n(SKID) or Authority Key Identifier (AKID) which are being converted to hex,\nthe size of the buffer needed for the result is calculated as multiplication\nof the input length by 3. On 32 bit platforms, this multiplication may overflow\nresulting in the allocation of a smaller buffer and a heap buffer overflow.\n\nApplications and services that print or log contents of untrusted X.509\ncertificates are vulnerable to this issue. As the certificates would have\nto have sizes of over 1 Gigabyte, printing or logging such certificates\nis a fairly unlikely operation and only 32 bit platforms are affected,\nthis issue was assigned Low severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-31789"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-31789"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
        },
        {
          "url": "https://github.com/advisories/GHSA-j79m-9jxq-788r"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/364f095b80601db632b0def6a33316967f863bde"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7a9087efd769f362ad9c0e30c7baaa6bbfa65ecf"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/945b935ac66cc7f1a41f1b849c7c25adb5351f49"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/a24216018e1ede8ff01a4ff5afff7dfbd443e2f9"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/a91e537d16d74050dbde50bb0dfb1fe9930f0521"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31789"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260407.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-31789"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/04/07/11"
        }
      ],
      "published": "2026-04-07T22:16:21+00:00",
      "updated": "2026-05-12T13:17:34+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-31790",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        754
      ],
      "description": "Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-31790"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19218"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-31790"
        },
        {
          "url": "https://bugzilla.redhat.com/2451094"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451094"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31790"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19218.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19218"
        },
        {
          "url": "https://github.com/advisories/GHSA-vgxx-5xj5-q97x"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/001e01db3e996e13ffc72386fe79d03a6683b5ac"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/abd8b2eec7e3f3fda60ecfb68498b246b52af482"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/b922e24e5b23ffb9cb9e14cadff23d91e9f7e406"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/d5f8e71cd0a54e961d0c3b174348f8308486f790"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/eed200f58cd8645ed77e46b7e9f764e284df379e"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31790"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260407.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8155-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-31790"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/04/07/11"
        }
      ],
      "published": "2026-04-07T22:16:21+00:00",
      "updated": "2026-05-12T13:17:34+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.0.7-8.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.0.7-8.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-fips-provider-so@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-fips-provider@3.0.7-8.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-3219",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
      },
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"
        }
      ],
      "cwes": [
        434
      ],
      "description": "pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing \"incorrect\" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.",
      "recommendation": "Upgrade pip to version 26.1",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-3219"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/20/8"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-3219"
        },
        {
          "url": "https://github.com/pypa/pip"
        },
        {
          "url": "https://github.com/pypa/pip/issues/13867"
        },
        {
          "url": "https://github.com/pypa/pip/pull/13870"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3219"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3219"
        }
      ],
      "published": "2026-04-20T16:16:45+00:00",
      "updated": "2026-04-20T21:16:36+00:00",
      "affects": [
        {
          "ref": "pkg:pypi/pip@26.0.1",
          "versions": [
            {
              "version": "26.0.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:pypi/pip@26.0.1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-32284",
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        125
      ],
      "description": "The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-32284"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-32284"
        },
        {
          "url": "https://github.com/golang/vulndb/issues/4513"
        },
        {
          "url": "https://github.com/shamaton/msgpack"
        },
        {
          "url": "https://github.com/shamaton/msgpack/issues/59"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32284"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4513"
        },
        {
          "url": "https://securityinfinity.com/research/shamaton-msgpack-oob-panic-fixext-dos-2026"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32284"
        }
      ],
      "published": "2026-03-26T20:16:12+00:00",
      "updated": "2026-06-03T14:42:23+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "21.3.1-2.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-pip-wheel@21.3.1-2.el9_8?arch=noarch&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-3276",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        407
      ],
      "description": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-3276"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-3276"
        },
        {
          "url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"
        },
        {
          "url": "https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598"
        },
        {
          "url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"
        },
        {
          "url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"
        },
        {
          "url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"
        },
        {
          "url": "https://github.com/python/cpython/issues/149079"
        },
        {
          "url": "https://github.com/python/cpython/pull/149080"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3276"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3276"
        }
      ],
      "published": "2026-06-03T16:16:29+00:00",
      "updated": "2026-06-16T15:16:39+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-32776",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.2,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        476
      ],
      "description": "libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-32776"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-32776"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1158"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1159"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32776"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32776"
        }
      ],
      "published": "2026-03-16T14:19:44+00:00",
      "updated": "2026-03-17T15:52:09+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.5.0-6.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-32777",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        835
      ],
      "description": "libexpat before 2.7.5 allows an infinite loop while parsing DTD content.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-32777"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-32777"
        },
        {
          "url": "https://github.com/libexpat/libexpat/issues/1161"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1159"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1162"
        },
        {
          "url": "https://issues.oss-fuzz.com/issues/486993411"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32777"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32777"
        }
      ],
      "published": "2026-03-16T14:19:44+00:00",
      "updated": "2026-03-17T15:52:34+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.5.0-6.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-32778",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        476
      ],
      "description": "libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-32778"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-32778"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1159"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1163"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32778"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32778"
        }
      ],
      "published": "2026-03-16T14:19:44+00:00",
      "updated": "2026-03-17T15:52:53+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.5.0-6.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-33056",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        61
      ],
      "description": "tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory \u2014 and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-33056"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-33056"
        },
        {
          "url": "https://github.com/alexcrichton/tar-rs"
        },
        {
          "url": "https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446"
        },
        {
          "url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33056"
        },
        {
          "url": "https://rustsec.org/advisories/RUSTSEC-2026-0067.html"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8138-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8139-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8168-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33056"
        }
      ],
      "published": "2026-03-20T08:16:11+00:00",
      "updated": "2026-03-24T16:17:11+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.34-11.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-34180",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        125
      ],
      "description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive\nelement whose content exceeds 2 gigabytes in length may cause a heap buffer\nover-read on 64-bit Unix and Unix-like platforms.\n\nImpact summary: The heap buffer over-read may crash the application (Denial of\nService) or to load into the decoded ASN.1 object contents of memory beyond the\nend of the input buffer.  More typically such ASN.1 elements would instead be\ntruncated.\n\nAn integer truncation in OpenSSL's ASN.1 decoder causes the content length of\nan ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the\nworst case the truncated length is treated as a request to scan the binary\ncontent for a terminating zero byte, possibly causing OpenSSL to read either\nless than or beyond the end of the allocated buffer.\n\nApplications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or\nany other d2i_* decoding function are affected. OpenSSL's own command-line\ntools are not vulnerable, as data read through the BIO layer is checked before\nit reaches the affected code. The issue only affects 64-bit Unix and Unix-like\nplatforms; 32-bit platforms and 64-bit Windows are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-34180"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-34180"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/1c6908e4fa5fa568752221d8eaf561a809751e5d"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/d93853c42110d6319e3df07842b488cb9f7ac5ff"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/da5d62af75f69d6fbf7803743d7c56ac75461e43"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/f696c73c3e61b8c502d040af62e690c060908a16"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34180"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34180"
        }
      ],
      "published": "2026-06-09T17:17:04+00:00",
      "updated": "2026-06-15T18:13:21+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-34181",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        354
      ],
      "description": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input\nvalidation for files that use Password-Based Message Authentication Code 1\n(PBMAC1) integrity mechanism allowing a certificate and private key forgery.\n\nImpact Summary: An attacker impersonating a user can cause a service reading\nPKCS#12 files to accept forged certificates and private keys with a 1 in 256\nprobability.\n\nIf a service accepting PKCS#12 files is using passwords for authenticating\nthe received files, the attacker can create unencrypted PKCS#12 files that\nuse PBMAC1 authentication that specifies an HMAC key of only one byte, allowing\nthem to craft a file that will be accepted with a 1 in 256 probability.\nThat would then cause the service to accept a certificate and private key\ncontrolled by the attacker.\n\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-34181"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-34181"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/0300eb9ddce7a0895bf301a4b0c03a9da2313a0f"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/79eb76a937e474bb7610a0a3dc57131dc8dc6610"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/85dcbb3abaa4878af5c8fbbe11bce708fcf984a7"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/ec36f2417c4ddd8cabce4b4a60a3d7a7365f2d81"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34181"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34181"
        }
      ],
      "published": "2026-06-09T17:17:04+00:00",
      "updated": "2026-06-15T18:13:13+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-34182",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "critical"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "critical"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        354
      ],
      "description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform\nsufficient input validation on the cipher and tag length fields of\nAuthEnvelopedData containers, leading to various potential compromises.\n\nImpact Summary: Attackers making use of these vulnerabilities may achieve\nkey-equivalent functionality for a given CMS recipient and/or bypass integrity\nvalidation for a given message.\n\nIn one use case, an attacker may send a CMS message containing\nAuthEnvelopedData with the cipher specified as a non-AEAD cipher.  OpenSSL\nerroneously allows this selection, and attempts to decrypt and validate the\nmessage.\n\nAn on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData\naddressed to the victim can re-emit it with the recipientInfos set left\nbyte-for-byte intact, so the victim's private key still unwraps the genuine CEK\n(the content-encryption key), but with the inner OID rewritten to AES-256-OFB\n(Output Feedback Mode, an unauthenticated keystream mode) and with an\nattacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the\nreal CEK, never consults the MAC field, and CMS_decrypt() returns success.\n\nIf the application under attack responds to the attacker with any indicator\nshowing success or failure of the decryption effort, it is possible for the\nattacker to use this as an oracle to obtain key equivalent functionality for the\nCEK used for the chosen recipient of the message.\n\nIn another use case, an attacker can reduce the tag length of the chosen AEAD\ncipher for a given AuthEnvelopedData container to be a single byte long,\nallowing an attacker to brute force CMS decryption, producing an integrity\nbypass for applications that trust CMS_decrypt() to reject modified content.\n\nThe FIPS modules are not affected by this issue.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-34182"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-34182"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/03c1f4d45fb963aee7d5833390c507cd290182bc"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/439ed7d2c0962ce964482727264668bf277c333f"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7947e6a81eb8776802f159fb6762cb7fcf7e34c7"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/9fd97f8cfdc2c0be214998de3b2b55c8edf6c7ac"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/d2ca86bcd43e4f17d899f347101766b6107676e0"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34182"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34182"
        }
      ],
      "published": "2026-06-09T17:17:04+00:00",
      "updated": "2026-06-15T18:13:05+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-34183",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        1325
      ],
      "description": "Issue summary: Remote peer may exhaust heap memory of the QUIC\nserver or client by flooding it with packets containing PATH_CHALLENGE\nframes.\n\nImpact summary: A malicious remote peer can cause an unbounded\nmemory allocation which can lead to an abnormal termination of the\napplication acting as a QUIC client or server and a Denial of Service.\n\nA remote peer may exhaust heap memory by flooding the local\nQUIC stack with PATH_CHALLENGE frames. The local QUIC stack\nallocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.\nThe allocated PATH_RESPONSE frame gets freed only when the remote\npeer acknowledges reception of the PATH_RESPONSE frame which will\nnot be done by a malicious peer.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by\nthis issue. The QUIC stack is outside of OpenSSL FIPS module\nboundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-34183"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-34183"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34183"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34183"
        }
      ],
      "published": "2026-06-09T17:17:05+00:00",
      "updated": "2026-06-15T18:12:39+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-34743",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        122
      ],
      "description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-34743"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/03/31/13"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-34743"
        },
        {
          "url": "https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87"
        },
        {
          "url": "https://github.com/tukaani-project/xz/releases/tag/v5.8.3"
        },
        {
          "url": "https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34743"
        },
        {
          "url": "https://tukaani.org/xz/index-append-overflow.html"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8362-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34743"
        }
      ],
      "published": "2026-04-02T19:21:33+00:00",
      "updated": "2026-04-15T17:33:17+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "5.2.5-8.el9_0",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/xz-libs@5.2.5-8.el9_0?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-34757",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 4.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        416
      ],
      "description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-34757"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-34757"
        },
        {
          "url": "https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a"
        },
        {
          "url": "https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc"
        },
        {
          "url": "https://github.com/pnggroup/libpng/issues/836"
        },
        {
          "url": "https://github.com/pnggroup/libpng/issues/837"
        },
        {
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00017.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34757"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8251-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34757"
        }
      ],
      "published": "2026-04-09T15:16:11+00:00",
      "updated": "2026-05-13T23:07:51+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.6.37-15.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libpng@1.6.37-15.el9_8?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-3479",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
        }
      ],
      "cwes": [
        22
      ],
      "description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.\n\npkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-3479"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-3479"
        },
        {
          "url": "https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe"
        },
        {
          "url": "https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7"
        },
        {
          "url": "https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943"
        },
        {
          "url": "https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c"
        },
        {
          "url": "https://github.com/python/cpython/issues/146121"
        },
        {
          "url": "https://github.com/python/cpython/pull/146122"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3479"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3479"
        }
      ],
      "published": "2026-03-18T19:16:06+00:00",
      "updated": "2026-04-07T18:16:46+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-3644",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        }
      ],
      "cwes": [
        20,
        116
      ],
      "description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-3644"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19177"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-3644"
        },
        {
          "url": "https://bugzilla.redhat.com/2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13837"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15282"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6075"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0672"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1502"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2297"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3644"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4224"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4786"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6100"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19177.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19177"
        },
        {
          "url": "https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4"
        },
        {
          "url": "https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd"
        },
        {
          "url": "https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd"
        },
        {
          "url": "https://github.com/python/cpython/issues/145599"
        },
        {
          "url": "https://github.com/python/cpython/pull/145600"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2026-3644.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-10950.html"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3644"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3644"
        }
      ],
      "published": "2026-03-16T18:16:09+00:00",
      "updated": "2026-06-04T19:30:28+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-3783",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        522
      ],
      "description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a redirect to a second URL, curl could leak that token to the second\nhostname under some circumstances.\n\nIf the hostname that the first request is redirected to has information in the\nused .netrc file, with either of the `machine` or `default` keywords, curl\nwould pass on the bearer token set for the first host also to the second one.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-3783"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/03/11/2"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-3783"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-3783.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-3783.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-8whr-249c-vfjp"
        },
        {
          "url": "https://hackerone.com/reports/3583983"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3783"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8084-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8099-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3783"
        }
      ],
      "published": "2026-03-11T11:16:00+00:00",
      "updated": "2026-03-12T14:10:37+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-3784",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        305
      ],
      "description": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-3784"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/03/11/3"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-3784"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-3784.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-3784.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-5q3w-6p3j-mw6p"
        },
        {
          "url": "https://hackerone.com/reports/3584903"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3784"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8084-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8099-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3784"
        }
      ],
      "published": "2026-03-11T11:16:00+00:00",
      "updated": "2026-06-02T14:16:52+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-3805",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        416
      ],
      "description": "When doing a second SMB request to the same host again, curl would wrongly use\na data pointer pointing into already freed memory.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-3805"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/03/11/4"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-3805"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-3805.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-3805.json"
        },
        {
          "url": "https://github.com/advisories/GHSA-2289-hhfc-p684"
        },
        {
          "url": "https://hackerone.com/reports/3591944"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3805"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8084-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3805"
        }
      ],
      "published": "2026-03-11T11:16:00+00:00",
      "updated": "2026-03-12T14:08:56+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-4105",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "cwes": [
        284
      ],
      "description": "A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-4105"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:7299"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-4105"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447262"
        },
        {
          "url": "https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4105"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4105"
        }
      ],
      "published": "2026-03-13T19:55:13+00:00",
      "updated": "2026-04-30T17:16:26+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "252-67.el9_8.2",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/systemd-pam@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "252-67.el9_8.2",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/systemd-rpm-macros@252-67.el9_8.2?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "252-67.el9_8.2",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/systemd@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "252-67.el9_8.2",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/systemd-pam@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/systemd-rpm-macros@252-67.el9_8.2?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/systemd@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/systemd-pam@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/systemd-rpm-macros@252-67.el9_8.2?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/systemd@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/systemd-libs@252-67.el9_8.2?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-41080",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        331
      ],
      "description": "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-41080"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/26/1"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-41080"
        },
        {
          "url": "https://blog.hartwork.org/posts/expat-2-8-0-released/"
        },
        {
          "url": "https://github.com/libexpat/libexpat/issues/47"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1183"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41080"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-41080"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/04/26/1"
        }
      ],
      "published": "2026-04-16T17:16:54+00:00",
      "updated": "2026-06-12T18:43:00+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.5.0-6.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-41989",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "julia"
          },
          "score": 6.7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787
      ],
      "description": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-41989"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-41989"
        },
        {
          "url": "https://dev.gnupg.org/T8211"
        },
        {
          "url": "https://github.com/advisories/GHSA-wrv8-79m2-qg24"
        },
        {
          "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41989"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8319-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-41989"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/04/21/1"
        }
      ],
      "published": "2026-04-23T05:16:05+00:00",
      "updated": "2026-04-27T18:33:18+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.10.0-11.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-41990",
      "ratings": [
        {
          "source": {
            "name": "julia"
          },
          "score": 4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787
      ],
      "description": "Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-41990"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-41990"
        },
        {
          "url": "https://dev.gnupg.org/T8208"
        },
        {
          "url": "https://github.com/advisories/GHSA-78pv-qq8x-94px"
        },
        {
          "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41990"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8319-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-41990"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/04/21/1"
        }
      ],
      "published": "2026-04-23T05:16:05+00:00",
      "updated": "2026-04-27T18:33:27+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.10.0-11.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libgcrypt@1.10.0-11.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-4224",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        }
      ],
      "cwes": [
        674
      ],
      "description": "When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-4224"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/03/16/4"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19177"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-4224"
        },
        {
          "url": "https://bugzilla.redhat.com/2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418084"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431366"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431374"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13837"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15282"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6075"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0672"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1502"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2297"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3644"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4224"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4786"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6100"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19177.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19177"
        },
        {
          "url": "https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a"
        },
        {
          "url": "https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785"
        },
        {
          "url": "https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee"
        },
        {
          "url": "https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3"
        },
        {
          "url": "https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768"
        },
        {
          "url": "https://github.com/python/cpython/issues/145986"
        },
        {
          "url": "https://github.com/python/cpython/pull/145987"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2026-4224.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-10950.html"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4224"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4224"
        }
      ],
      "published": "2026-03-16T18:16:10+00:00",
      "updated": "2026-06-04T19:33:19+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-42250",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        787
      ],
      "description": "bzip2 contains an off\u2011by\u2011one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out\u2011of\u2011bounds write to a global buffer, resulting in memory corruption and a crash (denial of service).\n\nThis issue was fixed in bzip2 patch\u00a035d122a3df8b0cc4082a4d89fdc6ee99f375fe67",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-42250"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-42250"
        },
        {
          "url": "https://cert.pl/en/posts/2026/05/CVE-2026-42250/"
        },
        {
          "url": "https://inbox.sourceware.org/bzip2-devel/20260528145407.293768-1-mark@klomp.org/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42250"
        },
        {
          "url": "https://sourceware.org/bzip2/"
        },
        {
          "url": "https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42250"
        }
      ],
      "published": "2026-05-28T14:16:19+00:00",
      "updated": "2026-06-05T08:16:30+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.0.8-11.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/bzip2-libs@1.0.8-11.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-42308",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.2,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        190
      ],
      "description": "Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-42308"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-42308"
        },
        {
          "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2026-165.yaml"
        },
        {
          "url": "https://github.com/python-pillow/Pillow"
        },
        {
          "url": "https://github.com/python-pillow/Pillow/pull/9518/changes"
        },
        {
          "url": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0"
        },
        {
          "url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42308"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8399-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42308"
        }
      ],
      "published": "2026-05-09T06:16:09+00:00",
      "updated": "2026-05-12T17:57:20+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-42764",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        476
      ],
      "description": "Issue summary: Receiving a QUIC initial packet with an invalid token may\ntrigger a NULL pointer dereference in the OpenSSL QUIC server with\naddress validation disabled.\n\nImpact summary: NULL pointer dereference typically causes abnormal termination\nof the affected QUIC server process and a Denial of Service.\n\nIf the address validation is disabled in the OpenSSL QUIC server\nimplementation, an attacker can crash the server by sending an initial\npacket with an invalid or expired token.\n\nBy default, the client address validation is enabled in the OpenSSL QUIC server\nimplementation, which makes the default configuration not vulnerable\nto this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with\nthe SSL_new_listener() call, the address validation is disabled making the\nvulnerable code reachable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-42764"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-42764"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/5e3ed291b8af0b03d5d3b9e56a1da69a187e9729"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/a45a0aba8095682c88ff4fc4a784892b8c6f0677"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/bf29a458c1a231eca87e384c62b9c2553fa57a91"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42764"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42764"
        }
      ],
      "published": "2026-06-09T17:17:07+00:00",
      "updated": "2026-06-15T18:25:25+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-42766",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        476
      ],
      "description": "Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-42766"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-42766"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42766"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42766"
        }
      ],
      "published": "2026-06-09T17:17:07+00:00",
      "updated": "2026-06-15T18:25:08+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-42767",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        476
      ],
      "description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-42767"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-42767"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/665d5254083affde9982efca7c41dd01cacc8774"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/810b722f772652ad48042bcc7ab07e3414b11d0f"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42767"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42767"
        }
      ],
      "published": "2026-06-09T17:17:08+00:00",
      "updated": "2026-06-16T02:58:39+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-42768",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.3,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        514
      ],
      "description": "Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to\nBleichenbacher-style attack when an attacker is able to provide the CMS or\nS/MIME messages and observe the error code and/or decryption output.\n\nImpact summary: The Bleichenbacher-style attack allows an attacker to use the\nvictim's vulnerable application as a way to decrypt or sign messages with the\nvictim's private RSA key.\n\nThe attack is possible in 2 variants.\n\n1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without\nproviding the recipient certificate. In this case OpenSSL iterates over every\nKeyTransRecipientInfo (KTRI) without stopping at the first success.\n\nAn attacker who authors a message with two KTRI entries \u2014 the first one\nwrapping a real CEK under the victim's public key, the second with an\narbitrary probe ciphertext \u2014 obtains opportunity to iterate the 2nd KTRI to\nget a valid PKCS#1 v1.5 padding if the error code of the application is\navailable.\n\nThat is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an\nadaptive-chosen-ciphertext side channel from which the attacker decrypts any\nRSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under\nit.\n\n2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with\nthe recipient certificate, and the recipient is not found, a random\nkey is substituted.\n\nAn attacker who authors a message and is able to compare both error code and\nthe result of the decryption, can mount a Bleichenbacher oracle.\n\nWe are not aware of any applications that provide a remote attacker\nan opportunity to mount an attack described in these scenarios. We consider\nthe existence of such application very unlikely, and for this reason this\nCVE has been evaluated as Low severity.\n\nTo avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the\ninvoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described\nin draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit\nrejection was explicitly disabled.\n\nThe implicit rejection mechanism always returns a plaintext value,\nthe symmetric key. This result is deterministic for the ciphertext and the\nprivate key.  The length of the decryption result can happen to match the\nlength of the key of the symmetric cipher that was used for the content\nencryption. When a certificate is not provided, the last RecipientInfo\nproducing a key that looks valid will be used. It may cause getting garbage\ncontent on decryption. As a proper way to deal with this a recipient\ncertificate has to be provided to identify the particular RecipientInfo for\ndecryption.\n\nThe FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as\nCMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-42768"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-42768"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/a2ca7b2d73e0ffc1eae183fe6e1741dac767cb4f"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/bbb151a83041705d9d001ed2f9c12f5523e1b54d"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/dd68364107a58841c0a2546812518b65d3a23abd"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/f04b377be3d821741c86d1f4bf84dee09f3d5c3e"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42768"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42768"
        }
      ],
      "published": "2026-06-09T17:17:08+00:00",
      "updated": "2026-06-16T02:58:12+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-42769",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        295
      ],
      "description": "Issue Summary: An error in the callback used to verify the certificate\nprovided in a Root CA key update Certificate Management Protocol (CMP)\nmessage response rendered the certificate validation ineffectual, which\ncould lead to escalation of credentials from the Registration Authority (RA)\nlevel to the root Certification Authority (root CA) level.\n\nImpact Summary: The Registration Autority could replace the root CA\ncertificate for the CMP clients with an arbitrary root CA certificate.\n\nOne of the parts of the Certificate Management Protocol (CMP), specified in\nRFC 9810, is Root Certification Authority (root CA) key Rollover,\nwhich is sent by the server in a message with type 'id-it-rootCaKeyUpdate'.\nAs part of these messages, 'newWithOld' certificate, the new root CA\ncertificate signed with the old root CA key, is provided, and verifying its\nsignature is crucial for transferring the trust from the old CA key to the\nnew one.\n\nThe 'id-it-rootCaKeyUpdate' messages are expected to be processed with\nOSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld'\ncertificate.  A typo in the certificate chain building code led to adding\nan incorrect certificate ('newWithOld' instead of 'oldRoot') to the\ncertificate chain, rendering the certificate verification process ineffectual\n(only the issuer name and the algorithm OIDs were verified by other parts\nof the verification code).\n\nAn attacker who already has credentials that satisfy the CMP message\nprotection checks can generate a new key pair and use a crafted self-signed\ncertificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP\nclients would accept as a new trust anchor.\n\nSignificant preconditions for the attack (having valid RA-level credentials)\nare the reason the issue was assigned Low severity.\n\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-42769"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-42769"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/54d0989997e5fc26057009a9782c3441ce3842fb"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/777b363b16fcf2153bb3ded39dc3838713667c44"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/d35cd473a271bf3ce7bf3d32af53217fb83ae92c"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/d531f21c0fe99067a66fc0ff1161ef127f9cd70b"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42769"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42769"
        }
      ],
      "published": "2026-06-09T17:17:08+00:00",
      "updated": "2026-06-15T18:26:34+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-42770",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        325
      ],
      "description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)\npeer key, the peer key is not properly checked for the subgroup membership.\n\nImpact summary: A malicious peer which presents an X9.42 key carrying the\nvictim's p and g parameters, a forged q = r (a small prime factor of the\ncofactor (p\u22121)/q_local), and a public value Y of order r can recover the\nvictim's private key after a small number of key exchange attempts.\n\nWhen EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the\nsubgroup membership check Y^q \u2261 1 (mod p) is performed using the peer's\nown q parameter, not the local key's q. The peer's domain parameters are\nthen matched against the domain parameters of the private key, but the value\nof q is not compared.\n\nA malicious peer who presents an X9.42 key carrying the victim's p, g,\na forged q = r (a small prime factor of the cofactor), and a public\nvalue Y of order r passes all checks. The shared secret then takes only\nr distinct values, leaking priv mod r. Repeating for each small-prime\nfactor of the cofactor and combining via CRT recovers the full private\nkey (Lim\u2013Lee / small-subgroup-confinement attack).\n\nThe realistic attack surface is narrow: principally CMP deployments with\nlong-lived RA/CA DHX keys and bespoke enterprise or government applications\nusing X9.42 DHX static keys with interactive protocols and therefore this\nissue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this\nissue.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-42770"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-42770"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/ca2237ab5615641b662183b077f62c08d75e8070"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42770"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42770"
        }
      ],
      "published": "2026-06-09T17:17:08+00:00",
      "updated": "2026-06-16T02:58:00+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-4426",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        1335
      ],
      "description": "A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-4426"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:8944"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-4426"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449010"
        },
        {
          "url": "https://github.com/libarchive/libarchive/pull/2897"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4426"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8292-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4426"
        }
      ],
      "published": "2026-03-19T15:16:28+00:00",
      "updated": "2026-05-03T21:16:11+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-44431",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
      },
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        200
      ],
      "description": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.",
      "recommendation": "Upgrade urllib3 to version 2.7.0",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-44431"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-44431"
        },
        {
          "url": "https://github.com/urllib3/urllib3"
        },
        {
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44431"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8379-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44431"
        }
      ],
      "published": "2026-05-13T16:16:57+00:00",
      "updated": "2026-05-14T13:56:27+00:00",
      "affects": [
        {
          "ref": "pkg:pypi/urllib3@2.6.3",
          "versions": [
            {
              "version": "2.6.3",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:pypi/urllib3@2.6.3"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-44432",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        409
      ],
      "description": "urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.",
      "recommendation": "Upgrade urllib3 to version 2.7.0",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-44432"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-44432"
        },
        {
          "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2026-142.yaml"
        },
        {
          "url": "https://github.com/urllib3/urllib3"
        },
        {
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44432"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8379-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44432"
        }
      ],
      "published": "2026-05-13T16:16:57+00:00",
      "updated": "2026-05-14T13:49:25+00:00",
      "affects": [
        {
          "ref": "pkg:pypi/urllib3@2.6.3",
          "versions": [
            {
              "version": "2.6.3",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:pypi/urllib3@2.6.3"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-44604",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "cwes": [
        78
      ],
      "description": "A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-44604"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-44604"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460967"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44604"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44604"
        }
      ],
      "published": "2026-05-28T08:16:35+00:00",
      "updated": "2026-05-28T13:44:54+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python3-rpm@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "4.16.1.3-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/rpm-build-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "4.16.1.3-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/rpm-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "4.16.1.3-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/rpm-plugin-systemd-inhibit@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "4.16.1.3-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/rpm-sign-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "4.16.1.3-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/rpm@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "4.16.1.3-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-rpm@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/rpm-build-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/rpm-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/rpm-plugin-systemd-inhibit@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/rpm-sign-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/rpm@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-rpm@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/rpm-build-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/rpm-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/rpm-plugin-systemd-inhibit@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/rpm-sign-libs@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/rpm@4.16.1.3-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-45445",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 9.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        325
      ],
      "description": "Issue summary: When an application drives an AES-OCB context through the\npublic EVP_Cipher() one-shot interface, the application-supplied\ninitialisation vector (IV) is silently discarded.\n\nImpact summary: Every message encrypted under the same key uses the\nsame effective nonce regardless of the IV supplied by the caller,\nresulting in (key, nonce) reuse and loss of confidentiality.  If the\nsame code path is used to compute the authentication tag, the tag\ndepends only on the (key, IV) pair and not on the plaintext or\nciphertext, allowing universal forgery of arbitrary ciphertext from a\nsingle captured message.\n\nOpenSSL provides two ways to drive a cipher: the documented streaming\ninterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\none-shot, EVP_Cipher(), whose documentation explicitly recommends\nagainst use by applications in favour of EVP_CipherUpdate() and\nEVP_CipherFinal_ex().  The OCB provider's streaming handler flushes\nthe application-supplied IV into the OCB context before processing\ndata; the one-shot handler did not.  Every call to EVP_Cipher() on an\nAES-OCB context therefore ran with the all-zero key-derived offset\nstate left by cipher initialisation, regardless of the caller's IV.\n\nIf EVP_EncryptFinal_ex() is subsequently used to obtain the\nauthentication tag, the deferred IV setup runs at that point and\nclears the running checksum that should have been accumulated over the\nplaintext.  The resulting tag is a function of (key, IV) only and\nverifies against any ciphertext produced under the same (key, IV)\npair.\n\nThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\nTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\nApplications that drive AES-OCB through the documented streaming AEAD\nAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected.  Only\napplications that combine the AES-OCB cipher with the EVP_Cipher()\none-shot API are vulnerable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as AES-OCB is outside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-45445"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-45445"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45445"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45445"
        }
      ],
      "published": "2026-06-09T17:17:18+00:00",
      "updated": "2026-06-16T02:57:17+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-45446",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        325
      ],
      "description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV\n(RFC 8452) mishandle the authentication of AAD (Additional Authenticated\nData) with an empty ciphertext allowing a forgery of such messages.\n\nImpact summary: An attacker can forge empty messages with arbitrary AAD\nto the victim's application using these ciphers.\n\nAES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD\nmodes: they accept a key, nonce, optional AAD (bytes that are authenticated\nbut not encrypted), and plaintext, and produces ciphertext plus a 16-byte\ntag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only\nif the tag is verified succesfully.\n\nIn OpenSSL's provider implementation of these ciphers, the expected tag is\ncomputed only when decryption function is invoked with non-empty data.\nIf the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without\ninvocation of the ciphertext update, which can happen when the received\nciphertext length is zero, the tag is never recalculated and still holds its\nall-zeros value.\n\nWhen AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty\nciphertext, and all-zeros tag passes authentication under any key they do not\nknow, single-shot. When AES-SIV is used, for mounting the attack it's\nnecessary for the application to reuse the decryption context without\nresetting the key.\n\nAES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since\nOpenSSL 3.2.\n\nNo protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support\neither AES-GCM-SIV or AES-SIV. To mount an attack, the applications must\nimplement their own protocol and use the EVP interface. Also they must skip the\nciphertext update when a message with an empty ciphertext arrives.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as these algorithms are not FIPS approved and the affected code is\noutside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-45446"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-45446"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/daca0f48e4a69a2892a62262bad59e62a8a76598"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/eec5e9bf0d867333b8495e456f5235d225798a68"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45446"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45446"
        }
      ],
      "published": "2026-06-09T17:17:19+00:00",
      "updated": "2026-06-16T02:57:01+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-45447",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 8.1,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "high"
        }
      ],
      "cwes": [
        416
      ],
      "description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\ntrigger a use-after-free during PKCS#7 signature verification.\n\nImpact summary: A use-after-free may result in process crashes, heap\ncorruption, or potentially remote code execution.\n\nWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\ndigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\nincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\nuse of the BIO by the calling application results in a use-after-free\ncondition.\n\nIn the common case this occurs when the application later calls\nBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\non allocator behavior and application-specific BIO usage patterns, this\nmay result in a crash or other memory corruption. In some application\ncontexts this may potentially be exploitable for remote code execution.\n\nApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\nPKCS#7 APIs may be affected. Applications using the CMS APIs for this\nprocessing are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-45447"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-45447"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e"
        },
        {
          "url": "https://linux.oracle.com/cve/CVE-2026-45447.html"
        },
        {
          "url": "https://linux.oracle.com/errata/ELSA-2026-50323.html"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45447"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45447"
        }
      ],
      "published": "2026-06-09T17:17:19+00:00",
      "updated": "2026-06-16T02:56:50+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-4873",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        295,
        319
      ],
      "description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an\nexisting unencrypted connection from the same connection pool. If an initial\ntransfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request\nto that same host bypasses the TLS requirement and instead transmit data\nunencrypted.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-4873"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/29/7"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-4873"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-4873.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-4873.json"
        },
        {
          "url": "https://hackerone.com/reports/3621851"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4873"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8227-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4873"
        }
      ],
      "published": "2026-05-13T13:01:55+00:00",
      "updated": "2026-05-14T13:45:11+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-48864",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "cwes": [
        787
      ],
      "description": "A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-48864"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:21333"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-48864"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460425"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48864"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48864"
        }
      ],
      "published": "2026-05-26T17:16:54+00:00",
      "updated": "2026-05-28T19:22:42+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.7.24-5.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-50219",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
        }
      ],
      "cwes": [
        416
      ],
      "description": "libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-50219"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-50219"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1246"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50219"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-50219"
        }
      ],
      "published": "2026-06-04T06:16:25+00:00",
      "updated": "2026-06-04T18:39:29+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.5.0-6.el9_8.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/expat@2.5.0-6.el9_8.1?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5435",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        787
      ],
      "description": "The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5435"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5435"
        },
        {
          "url": "https://inbox.sourceware.org/libc-alpha/cover.1777546194.git.fweimer@redhat.com/"
        },
        {
          "url": "https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5435"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34033"
        },
        {
          "url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0011"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5435"
        }
      ],
      "published": "2026-04-28T13:19:22+00:00",
      "updated": "2026-05-05T17:38:37+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-54411",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 4.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "cwes": [
        208
      ],
      "description": "Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-54411"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-54411"
        },
        {
          "url": "https://cwe.mitre.org/data/definitions/208.html"
        },
        {
          "url": "https://github.com/linux-pam/linux-pam"
        },
        {
          "url": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h"
        },
        {
          "url": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54411"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54411"
        }
      ],
      "published": "2026-06-14T18:17:20+00:00",
      "updated": "2026-06-16T15:36:43+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/pam@1.5.1-28.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "1.5.1-28.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/pam@1.5.1-28.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/pam@1.5.1-28.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5450",
      "ratings": [
        {
          "source": {
            "name": "photon"
          },
          "severity": "critical"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H"
        }
      ],
      "cwes": [
        122,
        787
      ],
      "description": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5450"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5450"
        },
        {
          "url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5450"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5450#range-21286997"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5450"
        }
      ],
      "published": "2026-04-20T21:16:36+00:00",
      "updated": "2026-04-23T15:33:34+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5545",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        613
      ],
      "description": "libcurl might in some circumstances reuse the wrong connection when asked to\ndo an authenticated HTTP(S) request after a Negotiate-authenticated one, when\nboth use the same host.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criteria must be met. Due to a logical\nerror in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials.\n\nAn application that first uses Negotiate authentication to a server with\n`user1:password1` and then does another operation to the same server asking\nfor any authentication method but for `user2:password2` (while the previous\nconnection is still alive) - the second request gets confused and wrongly\nreuses the same connection and sends the new request over that connection\nthinking it uses a mix of user1's and user2's credentials when it is in fact\nstill using the connection authenticated for user1...",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5545"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5545"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-5545.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-5545.json"
        },
        {
          "url": "https://hackerone.com/reports/3642555"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5545"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8227-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5545"
        }
      ],
      "published": "2026-05-13T13:01:56+00:00",
      "updated": "2026-05-13T19:31:07+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5704",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"
        }
      ],
      "cwes": [
        434
      ],
      "description": "A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5704"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/11/10"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/11/11"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/12/2"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5704"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455360"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5704"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5704"
        }
      ],
      "published": "2026-04-06T16:16:42+00:00",
      "updated": "2026-04-22T20:08:59+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2",
          "versions": [
            {
              "version": "2:1.34-11.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/tar@1.34-11.el9?arch=x86_64&distro=redhat-9.8&epoch=2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5713",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        }
      ],
      "cwes": [
        121,
        125
      ],
      "description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5713"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/15/6"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:19176"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5713"
        },
        {
          "url": "https://bugzilla.redhat.com/2431367"
        },
        {
          "url": "https://bugzilla.redhat.com/2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/2458239"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431367"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448168"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448181"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457409"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458239"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0865"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1502"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2297"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3644"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4224"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4519"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4786"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5713"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6100"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-19176.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:19176"
        },
        {
          "url": "https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67"
        },
        {
          "url": "https://github.com/python/cpython/commit/316f6265b7f9ca4ffed5346b747475ef1943f35d"
        },
        {
          "url": "https://github.com/python/cpython/issues/148178"
        },
        {
          "url": "https://github.com/python/cpython/pull/148187"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/OG4RHARYSNIE22GGOMVMCRH76L5HKPLM/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5713"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5713"
        }
      ],
      "published": "2026-04-14T16:16:48+00:00",
      "updated": "2026-06-10T19:16:37+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5745",
      "ratings": [
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        476
      ],
      "description": "A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare \"d\" or \"default\" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. An attacker can exploit this by providing a maliciously crafted archive, causing an application utilizing the libarchive API (such as bsdtar) to crash, resulting in a Denial of Service (DoS).",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5745"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:8944"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5745"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455921"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5745"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5745"
        }
      ],
      "published": "2026-04-07T16:16:32+00:00",
      "updated": "2026-05-03T15:15:58+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.5.3-9.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libarchive@3.5.3-9.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5773",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        918
      ],
      "description": "libcurl might in some circumstances reuse the wrong connection for SMB(S)\ntransfers.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criteria must be met. Due to a logical\nerror in the code, a network transfer operation that was requested by an\napplication could wrongfully reuse an existing SMB connection to the same\nserver that was using a different 'share' than the new subsequent transfer\nshould.\n\nThis could in unlucky situations lead to the download of the wrong file or the\nupload of a file to the wrong place. When this happens, the same credentials\nare used and the server name is the same.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5773"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/29/9"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5773"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-5773.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-5773.json"
        },
        {
          "url": "https://hackerone.com/reports/3650689"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5773"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8227-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5773"
        }
      ],
      "published": "2026-05-13T13:01:56+00:00",
      "updated": "2026-05-13T19:13:14+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5928",
      "ratings": [
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H"
        }
      ],
      "cwes": [
        127
      ],
      "description": "Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5928"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5928"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5928"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33998"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5928"
        }
      ],
      "published": "2026-04-20T21:16:36+00:00",
      "updated": "2026-04-23T15:33:43+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-5958",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "low"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        367
      ],
      "description": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: \n1. resolves symlink to its target and stores\u00a0the resolved path for determining when output is written,\n2. opens the original symlink path\u00a0(not the resolved one) to read the file. \nBetween these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1.\u00a0This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.\n\n\nThis issue was fixed in version 4.10.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-5958"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/05/13/1"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-5958"
        },
        {
          "url": "https://cert.pl/en/posts/2026/04/CVE-2026-5958"
        },
        {
          "url": "https://github.com/advisories/GHSA-9r7w-j29g-xqx8"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5958"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8229-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8229-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5958"
        },
        {
          "url": "https://www.gnu.org/software/sed"
        },
        {
          "url": "https://www.gnu.org/software/sed/"
        }
      ],
      "published": "2026-04-20T12:16:08+00:00",
      "updated": "2026-05-19T15:17:37+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "4.8-10.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/sed@4.8-10.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-6019",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.1,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
        }
      ],
      "cwes": [
        150,
        116
      ],
      "description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-6019"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-6019"
        },
        {
          "url": "https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c"
        },
        {
          "url": "https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104"
        },
        {
          "url": "https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8"
        },
        {
          "url": "https://github.com/python/cpython/issues/90309"
        },
        {
          "url": "https://github.com/python/cpython/pull/148848"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6019"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6019"
        }
      ],
      "published": "2026-04-22T20:16:42+00:00",
      "updated": "2026-05-28T19:15:28+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-6238",
      "ratings": [
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        126
      ],
      "description": "The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.\n\nThese functions are for application debugging only and hence not in the path of code executed by the DNS resolver.  Further, they have been deprecated since version 2.34 and should not be used by any new applications.  Applications should consider porting away from these interfaces since they may be removed in future versions.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-6238"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-6238"
        },
        {
          "url": "https://inbox.sourceware.org/libc-alpha/cover.1777546194.git.fweimer@redhat.com/"
        },
        {
          "url": "https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6238"
        },
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34069"
        },
        {
          "url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0012"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6238"
        }
      ],
      "published": "2026-04-28T19:37:47+00:00",
      "updated": "2026-05-04T17:57:24+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.34-270.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc-common@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc-minimal-langpack@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/glibc@2.34-270.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-6253",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        522
      ],
      "description": "curl might erroneously pass on credentials for a first proxy to a second\nproxy.\n\nThis can happen when the following conditions are true:\n\n1. curl is setup to use specific different proxies for different URL schemes\n2. the first proxy needs credentials\n3. the second proxy uses no credentials\n4. while using the first proxy (using say `http://`), curl is asked to follow\n   a redirect to a URL using another scheme (say `https://`), accessed using a\n   second, different, proxy",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-6253"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/29/11"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-6253"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-6253.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-6253.json"
        },
        {
          "url": "https://hackerone.com/reports/3669637"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6253"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8227-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6253"
        }
      ],
      "published": "2026-05-13T13:01:56+00:00",
      "updated": "2026-05-14T13:40:53+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-6276",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 3.7,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        319
      ],
      "description": "Using libcurl, when a custom `Host:` header is first set for an HTTP request\nand a second request is subsequently done using the same *easy handle* but\nwithout the custom `Host:` header set, the second request would use stale\ninformation and pass on cookies meant for the first host in the second\nrequest. Leak them.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-6276"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/29/13"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-6276"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-6276.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-6276.json"
        },
        {
          "url": "https://hackerone.com/reports/3671818"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6276"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8227-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6276"
        }
      ],
      "published": "2026-05-13T13:01:56+00:00",
      "updated": "2026-05-14T14:21:06+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-6357",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
      },
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"
        }
      ],
      "cwes": [
        829
      ],
      "description": "pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.",
      "recommendation": "Upgrade pip to version 26.1",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-6357"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/27/7"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-6357"
        },
        {
          "url": "https://github.com/pypa/pip"
        },
        {
          "url": "https://github.com/pypa/pip/commit/b369bfc96cc524e00c267e1693290e6599c36bad"
        },
        {
          "url": "https://github.com/pypa/pip/pull/13923"
        },
        {
          "url": "https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/#security-fixes"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6357"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6357"
        }
      ],
      "published": "2026-04-27T15:16:20+00:00",
      "updated": "2026-04-27T23:16:03+00:00",
      "affects": [
        {
          "ref": "pkg:pypi/pip@26.0.1",
          "versions": [
            {
              "version": "26.0.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:pypi/pip@26.0.1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-6429",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "description": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, libcurl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-6429"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-6429"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-6429.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-6429.json"
        },
        {
          "url": "https://hackerone.com/reports/3677759"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6429"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8227-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6429"
        }
      ],
      "published": "2026-05-13T13:01:56+00:00",
      "updated": "2026-05-14T14:18:02+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-6732",
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        843
      ],
      "description": "A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-6732"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:11503"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-6732"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461300"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/1097"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/411"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6732"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6732"
        }
      ],
      "published": "2026-04-23T23:16:16+00:00",
      "updated": "2026-05-15T14:36:35+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "2.9.13-14.el9_7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-7168",
      "ratings": [
        {
          "source": {
            "name": "azure"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "medium"
        }
      ],
      "cwes": [
        294
      ],
      "description": "Successfully using libcurl to do a transfer over a specific HTTP proxy\n(`proxyA`) with **Digest** authentication and then changing the proxy host to\na second one (`proxyB`) for a second transfer, reusing the same handle, makes\nlibcurl wrongly pass on the `Proxy-Authorization:` header field meant for\n`proxyA`, to `proxyB`.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-7168"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/04/29/14"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-7168"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-7168.html"
        },
        {
          "url": "https://curl.se/docs/CVE-2026-7168.json"
        },
        {
          "url": "https://hackerone.com/reports/3697719"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7168"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8227-1"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7168"
        }
      ],
      "published": "2026-05-13T13:01:57+00:00",
      "updated": "2026-05-14T14:12:48+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "7.76.1-40.el9",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/curl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libcurl-minimal@7.76.1-40.el9?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-7210",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        331
      ],
      "description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-7210"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/05/11/13"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2026/05/11/8"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-7210"
        },
        {
          "url": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
        },
        {
          "url": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
        },
        {
          "url": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
        },
        {
          "url": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
        },
        {
          "url": "https://github.com/python/cpython/issues/149018"
        },
        {
          "url": "https://github.com/python/cpython/pull/149023"
        },
        {
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7210"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7210"
        }
      ],
      "published": "2026-05-11T18:16:42+00:00",
      "updated": "2026-06-15T17:51:07+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "3.9.25-7.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python-unversioned-command@3.9.25-7.el9_8?arch=noarch&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3-libs@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/python3@3.9.25-7.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-7383",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        787
      ],
      "description": "Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-7383"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-7383"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7383"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7383"
        }
      ],
      "published": "2026-06-09T17:17:50+00:00",
      "updated": "2026-06-16T02:46:08+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-9076",
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.9,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "rocky"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "ubuntu"
          },
          "severity": "low"
        }
      ],
      "cwes": [
        125
      ],
      "description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)\nprocesses attacker-supplied CMS data, an attacker-chosen stream-mode KEK\ncipher can trigger a heap out-of-bounds read in kek_unwrap_key().\n\nImpact summary: A heap buffer over-read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not revealed to the attacker.\n\nThe key unwrapping function performs a check-byte test as specified in the\nRFC that reads 7 bytes from a heap allocation that is based on the wrapped\nkey length from the message. There is a minimum length check based on the\nblock length of the wrapping cipher. However the cipher is selected from\nan OID carried in the attacker's PWRI keyEncryptionAlgorithm with no\nrequirement that the cipher be a block cipher. When an attacker selects\na stream-mode cipher the guard will be ineffective and the allocated buffer\ncontaining the unwrapped key can be too small to fit the check-bytes\nspecified in the RFC and a buffer over-read can happen.\n\nApplications calling CMS_decrypt() or CMS_decrypt_set1_password()\n(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS\ndata are vulnerable to this issue. No password knowledge is required: the\nover-read happens during the unwrap attempt before any authentication\nsucceeds.\n\nThe over-read is limited to a few bytes and is not written to output, so\nthere is no information disclosure. Triggering a crash requires the\nallocation to border unmapped memory, which is unlikely with the normal\nallocator.\n\nThe FIPS modules are not affected by this issue.",
      "recommendation": "Upgrade openssl to version 1:3.5.5-4.el9_8; Upgrade openssl-libs to version 1:3.5.5-4.el9_8",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-9076"
        },
        {
          "url": "https://access.redhat.com/errata/RHSA-2026:25239"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-9076"
        },
        {
          "url": "https://bugzilla.redhat.com/2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/2481898"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383"
        },
        {
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076"
        },
        {
          "url": "https://errata.almalinux.org/9/ALSA-2026-25239.html"
        },
        {
          "url": "https://errata.rockylinux.org/RLSA-2026:25239"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/05b066366842f930fadd9a6e94df98030af431bb"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/715349a1d7c6db970e6815dafb90915f07307f98"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26"
        },
        {
          "url": "https://github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9076"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-1"
        },
        {
          "url": "https://ubuntu.com/security/notices/USN-8414-2"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9076"
        }
      ],
      "published": "2026-06-09T17:17:50+00:00",
      "updated": "2026-06-16T02:45:58+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1",
          "versions": [
            {
              "version": "1:3.5.5-3.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/openssl@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:rpm/redhat/openssl-libs@3.5.5-3.el9_8?arch=x86_64&distro=redhat-9.8&epoch=1"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": "Exploitability analysis, additional details:\nTemurin JVM binary is linked only against glibc:\n$ ldd /usr/lib/jvm/temurin-17-jre/bin/java\n        linux-vdso.so.1 (0x0000ffff8cd00000)\n        libjli.so => /usr/lib/jvm/temurin-17-jre/bin/../lib/libjli.so (0x0000ffff8cc70000)\n        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000ffff8cc3b000)\n        libdl.so.2 => /lib64/libdl.so.2 (0x0000ffff8cc1a000)\n        libc.so.6 => /lib64/libc.so.6 (0x0000ffff8caa4000)\n        /lib/ld-linux-aarch64.so.1 (0x0000ffff8ccc2000)"
      }
    },
    {
      "id": "CVE-2026-9149",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        122
      ],
      "description": "A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-9149"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-9149"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460380"
        },
        {
          "url": "https://github.com/openSUSE/libsolv/pull/617"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9149"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9149"
        }
      ],
      "published": "2026-05-21T00:16:35+00:00",
      "updated": "2026-06-02T01:21:26+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.7.24-5.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-9150",
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "photon"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        121
      ],
      "description": "A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-9150"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-9150"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460379"
        },
        {
          "url": "https://github.com/openSUSE/libsolv/pull/616"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9150"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9150"
        }
      ],
      "published": "2026-05-20T23:16:36+00:00",
      "updated": "2026-06-02T18:57:51+00:00",
      "affects": [
        {
          "ref": "pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8",
          "versions": [
            {
              "version": "0.7.24-5.el9_8",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:ff5fd474-bbdb-4f66-9fdf-fed343cababb/1#pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8"
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:rpm/redhat/libsolv@0.7.24-5.el9_8?arch=x86_64&distro=redhat-9.8"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "GHSA-537c-gmf6-5ccf",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "description": "pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
      "recommendation": "Upgrade cryptography to version 48.0.1",
      "advisories": [
        {
          "url": "https://github.com/advisories/GHSA-537c-gmf6-5ccf"
        },
        {
          "url": "https://github.com/pyca/cryptography"
        },
        {
          "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-537c-gmf6-5ccf"
        },
        {
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        }
      ],
      "published": "2026-06-15T20:12:27+00:00",
      "updated": "2026-06-15T20:12:27+00:00",
      "affects": [
        {
          "ref": "pkg:pypi/cryptography@46.0.7",
          "versions": [
            {
              "version": "46.0.7",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:pypi/cryptography@46.0.7"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "GHSA-qp9x-wp8f-qgjj",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
        }
      ],
      "description": "`DelegatedRole._is_target_in_pathpattern` uses `fnmatch.fnmatch` to decide whether a given target path is authorized by a delegation's glob pattern.\n\nPython's `fnmatch.fnmatch` calls `os.path.normcase()` on both arguments before matching. On POSIX hosts `normcase` is the identity function; on Windows hosts `os.path` resolves to `ntpath`, whose `normcase` lowercases its input and replaces `/` with `\\`.\n\nAs a result, python-tuf's delegation *path pattern* matching is case-sensitive on Linux/macOS but case-INSENSITIVE on Windows. This makes the authorization decision for a target dependent on the host operating system of the client running the updater.\n\nThe result on Windows is a TUF specification violation in the python-tuf `ngclient` implementation.\n\n## Vulnerable code\n\n`tuf/api/_payload.py` (HEAD `7ecb67d`):\n\n```python\n1183  @staticmethod\n1184  def _is_target_in_pathpattern(targetpath: str, pathpattern: str) -> bool:\n1185      \"\"\"Determine whether ``targetpath`` matches the ``pathpattern``.\"\"\"\n1186      # We need to make sure that targetpath and pathpattern are pointing to\n1187      # the same directory as fnmatch doesn't threat \"/\" as a special symbol.\n1188      target_parts = targetpath.split(\"/\")\n1189      pattern_parts = pathpattern.split(\"/\")\n1190      if len(target_parts) != len(pattern_parts):\n1191          return False\n1192\n1193      # Every part in the pathpattern could include a glob pattern, that's why\n1194      # each of the target and pathpattern parts should match.\n1195      for target, pattern in zip(target_parts, pattern_parts, strict=True):\n1196          if not fnmatch.fnmatch(target, pattern):\n1197              return False\n1198      return True\n```\n\n`fnmatch.fnmatch` source (Python 3.12, unchanged in current mainline):\n\n```python\ndef fnmatch(name, pat):\n    ...\n    name = os.path.normcase(name)\n    pat = os.path.normcase(pat)\n    return fnmatchcase(name, pat)\n```\n\n## Fix\n\nReplace `fnmatch.fnmatch` with `fnmatch.fnmatchcase`, which is explicitly documented as \"not applying case normalization\", so it behaves identically across platforms.\n\n## Attack\n\n1. A TUF repository with two path-based delegations whose patterns differ only in case \u2014 for example, `Foo/*` and `foo/*`.\n2. The \"attacker\" delegation is listed BEFORE the \"legit\" delegation in the delegation order.\n3. The client searches for `foo/something`: on Windows, it will find the \"attacker\" provided target \"Foo/something\".\n\n\n## Exploitability caveats \n\n* The attack needs a repository configuration with case-colliding delegation path patterns. The attacker must control one of the delegated roles.\n* Delegation ordering matters: the attacker-controlled role must be visited BEFORE the legit role in the pre-order walk.\n* The client must run on Windows. No effect on Linux/macOS.\n\n## Credit\n\nReporter: Koda Reef @kodareef5 \nAdvisory edits: Jussi Kukkonen @jku",
      "recommendation": "Upgrade tuf to version 7.0.0",
      "advisories": [
        {
          "url": "https://github.com/advisories/GHSA-qp9x-wp8f-qgjj"
        },
        {
          "url": "https://github.com/theupdateframework/python-tuf"
        },
        {
          "url": "https://github.com/theupdateframework/python-tuf/releases/tag/v7.0.0"
        },
        {
          "url": "https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-qp9x-wp8f-qgjj"
        }
      ],
      "published": "2026-05-28T22:46:13+00:00",
      "updated": "2026-05-28T22:46:13+00:00",
      "affects": [
        {
          "ref": "pkg:pypi/tuf@6.0.0",
          "versions": [
            {
              "version": "6.0.0",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:23679700-d58e-434d-823f-f78871b70cc4/1#pkg:pypi/tuf@6.0.0"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-33117",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 9.1,
          "severity": "critical",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
        }
      ],
      "cwes": [
        287,
        347
      ],
      "description": "Improper authentication in Azure SDK allows an unauthorized attacker to bypass a security feature over a network.",
      "recommendation": "Upgrade com.azure:azure-security-keyvault-keys to version 4.10.6",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-33117"
        },
        {
          "url": "https://github.com/Azure/azure-sdk-for-java"
        },
        {
          "url": "https://github.com/Azure/azure-sdk-for-java/commit/1b5c5c79d85a5c9a9cfd07f6cdff6fd0f50eccf9"
        },
        {
          "url": "https://github.com/Azure/azure-sdk-for-java/pull/48476"
        },
        {
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33117"
        }
      ],
      "published": "2026-05-12T18:17:04+00:00",
      "updated": "2026-05-15T18:38:17+00:00",
      "affects": [
        {
          "ref": "pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3",
          "versions": [
            {
              "version": "4.10.3",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3",
          "versions": [
            {
              "version": "4.10.3",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3",
          "versions": [
            {
              "version": "4.10.3",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/com.azure/azure-security-keyvault-keys@4.10.2",
          "versions": [
            {
              "version": "4.10.2",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2",
          "versions": [
            {
              "version": "4.9.2",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#200b10bd-e391-4941-8ab4-f472c5ae6f05"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#200b10bd-e391-4941-8ab4-f472c5ae6f05"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#200b10bd-e391-4941-8ab4-f472c5ae6f05"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.2"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#53a67bb5-f2df-4ec8-8cfe-c22f62112384"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#53a67bb5-f2df-4ec8-8cfe-c22f62112384"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#53a67bb5-f2df-4ec8-8cfe-c22f62112384"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#63a99999-10f8-4b80-ae7d-688b57f00ce7"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#63a99999-10f8-4b80-ae7d-688b57f00ce7"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#63a99999-10f8-4b80-ae7d-688b57f00ce7"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#891ce094-87f4-49ce-89dc-4da8493be6b8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#891ce094-87f4-49ce-89dc-4da8493be6b8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#891ce094-87f4-49ce-89dc-4da8493be6b8"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#181a78ad-83f5-47ef-bd7e-deb2080a4222"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#181a78ad-83f5-47ef-bd7e-deb2080a4222"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#181a78ad-83f5-47ef-bd7e-deb2080a4222"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.3"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.10.2"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/com.azure/azure-security-keyvault-keys@4.9.2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-44249",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 8.1,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 8.1,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "cwes": [
        284,
        697
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-handler to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-44249"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-44249"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44249"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44249"
        }
      ],
      "published": "2026-06-11T22:16:56+00:00",
      "updated": "2026-06-15T02:30:46+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-45292",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        770
      ],
      "description": "opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.",
      "recommendation": "Upgrade io.opentelemetry:opentelemetry-api to version 1.62.0",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-45292"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-45292"
        },
        {
          "url": "https://github.com/open-telemetry/opentelemetry-java"
        },
        {
          "url": "https://github.com/open-telemetry/opentelemetry-java/commit/03837d3c1763bc35464aea1078671e2ef2336a5f"
        },
        {
          "url": "https://github.com/open-telemetry/opentelemetry-java/pull/8380"
        },
        {
          "url": "https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0"
        },
        {
          "url": "https://github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45292"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45292"
        }
      ],
      "published": "2026-05-28T17:16:32+00:00",
      "updated": "2026-05-29T15:42:56+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1",
          "versions": [
            {
              "version": "1.42.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1",
          "versions": [
            {
              "version": "1.42.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1",
          "versions": [
            {
              "version": "1.42.1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#10761547-d2a4-4be6-bb3f-96e04ab81e4e"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#10761547-d2a4-4be6-bb3f-96e04ab81e4e"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#10761547-d2a4-4be6-bb3f-96e04ab81e4e"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:26683e23-bf35-4ba6-9f05-2731a92e3aca/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:26683e23-bf35-4ba6-9f05-2731a92e3aca/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:26683e23-bf35-4ba6-9f05-2731a92e3aca/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#1119f642-4877-4e86-9e91-ae06c1711097"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#1119f642-4877-4e86-9e91-ae06c1711097"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#1119f642-4877-4e86-9e91-ae06c1711097"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#58cb175c-7937-461b-9f83-afc9c47b3547"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#58cb175c-7937-461b-9f83-afc9c47b3547"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#58cb175c-7937-461b-9f83-afc9c47b3547"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0f744dc3-064b-4134-9a1f-3967ed305481"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0f744dc3-064b-4134-9a1f-3967ed305481"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0f744dc3-064b-4134-9a1f-3967ed305481"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.opentelemetry/opentelemetry-api@1.42.1"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#c8b35069-262b-4da0-92d9-b7f725d687ec"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#c8b35069-262b-4da0-92d9-b7f725d687ec"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#c8b35069-262b-4da0-92d9-b7f725d687ec"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#3be891a1-9e82-468c-8afb-c858a0abc364"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#3be891a1-9e82-468c-8afb-c858a0abc364"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#3be891a1-9e82-468c-8afb-c858a0abc364"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#08db84fa-904c-4735-afa3-fdf79471c422"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#08db84fa-904c-4735-afa3-fdf79471c422"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#08db84fa-904c-4735-afa3-fdf79471c422"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-45416",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        770
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-handler to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-45416"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-45416"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45416"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45416"
        }
      ],
      "published": "2026-06-12T15:16:26+00:00",
      "updated": "2026-06-15T02:15:04+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-45536",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 4,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        200,
        772
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) \u2014 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking \u2192 EAGAIN \u2192 Java maps to 0 \u2192 read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-transport-native-epoll to version 4.2.15.Final, 4.1.135.Final; Upgrade io.netty:netty-transport-native-kqueue to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-45536"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-45536"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-w573-9ffj-6ff9"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45536"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45536"
        }
      ],
      "published": "2026-06-12T15:16:27+00:00",
      "updated": "2026-06-15T02:14:53+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-transport-native-epoll@4.1.124.Final",
          "versions": [
            {
              "version": "4.1.124.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5c8e2b0c-0094-42d3-86a6-474a25fba082"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#9c039ed8-0e7f-48ca-859a-61191e5c87a0"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#44c9efca-ec87-4a4f-a66b-24d65db4d98f"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5313a052-332d-43cc-ba93-f693dd34c5db"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#44c9efca-ec87-4a4f-a66b-24d65db4d98f"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5c8e2b0c-0094-42d3-86a6-474a25fba082"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#9c039ed8-0e7f-48ca-859a-61191e5c87a0"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#44c9efca-ec87-4a4f-a66b-24d65db4d98f"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5c8e2b0c-0094-42d3-86a6-474a25fba082"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#44c9efca-ec87-4a4f-a66b-24d65db4d98f"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#44c9efca-ec87-4a4f-a66b-24d65db4d98f"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#9c039ed8-0e7f-48ca-859a-61191e5c87a0"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5313a052-332d-43cc-ba93-f693dd34c5db"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5c8e2b0c-0094-42d3-86a6-474a25fba082"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5313a052-332d-43cc-ba93-f693dd34c5db"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#44c9efca-ec87-4a4f-a66b-24d65db4d98f"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.124.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#4485578f-ab72-4bb7-8d3d-347757403615"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#4485578f-ab72-4bb7-8d3d-347757403615"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#4485578f-ab72-4bb7-8d3d-347757403615"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#4485578f-ab72-4bb7-8d3d-347757403615"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#4485578f-ab72-4bb7-8d3d-347757403615"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#4485578f-ab72-4bb7-8d3d-347757403615"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#00ebb70d-baff-42d5-bbd7-09ae76e9e0be"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#69d72c5c-d0e1-45ac-839f-5fd551bf2370"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#69d72c5c-d0e1-45ac-839f-5fd551bf2370"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#00ebb70d-baff-42d5-bbd7-09ae76e9e0be"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#69d72c5c-d0e1-45ac-839f-5fd551bf2370"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#00ebb70d-baff-42d5-bbd7-09ae76e9e0be"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#69d72c5c-d0e1-45ac-839f-5fd551bf2370"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#69d72c5c-d0e1-45ac-839f-5fd551bf2370"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#00ebb70d-baff-42d5-bbd7-09ae76e9e0be"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#69d72c5c-d0e1-45ac-839f-5fd551bf2370"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#78e3dced-1b9f-4e49-af94-92139e05bbcf"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2e613c2e-c638-4a60-8acd-64102f53f1f7"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#13881629-680c-4574-8194-576217de200c"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#3f174078-cc8e-4c0c-b6cb-8605f48c5ef5"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#13881629-680c-4574-8194-576217de200c"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#78e3dced-1b9f-4e49-af94-92139e05bbcf"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2e613c2e-c638-4a60-8acd-64102f53f1f7"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#13881629-680c-4574-8194-576217de200c"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#78e3dced-1b9f-4e49-af94-92139e05bbcf"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#13881629-680c-4574-8194-576217de200c"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#13881629-680c-4574-8194-576217de200c"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2e613c2e-c638-4a60-8acd-64102f53f1f7"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#3f174078-cc8e-4c0c-b6cb-8605f48c5ef5"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#78e3dced-1b9f-4e49-af94-92139e05bbcf"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#3f174078-cc8e-4c0c-b6cb-8605f48c5ef5"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#13881629-680c-4574-8194-576217de200c"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#88365f48-6a2b-42a9-9217-782c5be52c04"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#88365f48-6a2b-42a9-9217-782c5be52c04"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#88365f48-6a2b-42a9-9217-782c5be52c04"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#88365f48-6a2b-42a9-9217-782c5be52c04"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#88365f48-6a2b-42a9-9217-782c5be52c04"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#88365f48-6a2b-42a9-9217-782c5be52c04"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.124.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#13b08fa5-66f1-4843-9dd0-25c7da0bdb62"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#14eb631f-9326-42f5-8f9e-dc4f1eafbb4b"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#223f37e5-9366-41f0-b3af-6254fef8ff65"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#30dc8cd2-6b32-4cea-8673-e3a4c7c65f31"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#223f37e5-9366-41f0-b3af-6254fef8ff65"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#13b08fa5-66f1-4843-9dd0-25c7da0bdb62"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#14eb631f-9326-42f5-8f9e-dc4f1eafbb4b"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#223f37e5-9366-41f0-b3af-6254fef8ff65"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#13b08fa5-66f1-4843-9dd0-25c7da0bdb62"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#223f37e5-9366-41f0-b3af-6254fef8ff65"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#223f37e5-9366-41f0-b3af-6254fef8ff65"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#14eb631f-9326-42f5-8f9e-dc4f1eafbb4b"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#30dc8cd2-6b32-4cea-8673-e3a4c7c65f31"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#13b08fa5-66f1-4843-9dd0-25c7da0bdb62"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#30dc8cd2-6b32-4cea-8673-e3a4c7c65f31"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#223f37e5-9366-41f0-b3af-6254fef8ff65"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.124.Final"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#02f285a5-54f9-4f2b-89b0-c56b976dfb5d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#2b5776e2-b615-402f-8237-02e5b8b7581f"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0ae48f9d-64cc-41d7-a55e-befcb6b62600"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#9d5ffee6-045d-49c4-872f-d508d66b1a74"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0ae48f9d-64cc-41d7-a55e-befcb6b62600"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#02f285a5-54f9-4f2b-89b0-c56b976dfb5d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#2b5776e2-b615-402f-8237-02e5b8b7581f"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0ae48f9d-64cc-41d7-a55e-befcb6b62600"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#02f285a5-54f9-4f2b-89b0-c56b976dfb5d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0ae48f9d-64cc-41d7-a55e-befcb6b62600"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0ae48f9d-64cc-41d7-a55e-befcb6b62600"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#2b5776e2-b615-402f-8237-02e5b8b7581f"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#9d5ffee6-045d-49c4-872f-d508d66b1a74"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#02f285a5-54f9-4f2b-89b0-c56b976dfb5d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#9d5ffee6-045d-49c4-872f-d508d66b1a74"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#0ae48f9d-64cc-41d7-a55e-befcb6b62600"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.124.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-epoll@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-transport-native-kqueue@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#674d5d03-9344-48a4-befd-545ea89b2283"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#53b28f0b-8412-440d-b520-1a424f21c04f"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#043fae34-8db9-406b-a8dd-bb353da11f9d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#53b28f0b-8412-440d-b520-1a424f21c04f"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#674d5d03-9344-48a4-befd-545ea89b2283"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#53b28f0b-8412-440d-b520-1a424f21c04f"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#53b28f0b-8412-440d-b520-1a424f21c04f"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#53b28f0b-8412-440d-b520-1a424f21c04f"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#674d5d03-9344-48a4-befd-545ea89b2283"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#043fae34-8db9-406b-a8dd-bb353da11f9d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#043fae34-8db9-406b-a8dd-bb353da11f9d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#53b28f0b-8412-440d-b520-1a424f21c04f"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.124.Final"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#28de7352-21b8-4578-b18e-d4d3a0d38f4d"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#04b46bae-8093-49ec-a566-b7454c73a9f2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4a696eef-0953-4f0f-80c7-e41d2f463312"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4909e3f7-fac2-4f89-a800-659589a33b8e"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4a696eef-0953-4f0f-80c7-e41d2f463312"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#28de7352-21b8-4578-b18e-d4d3a0d38f4d"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#04b46bae-8093-49ec-a566-b7454c73a9f2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4a696eef-0953-4f0f-80c7-e41d2f463312"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#28de7352-21b8-4578-b18e-d4d3a0d38f4d"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4a696eef-0953-4f0f-80c7-e41d2f463312"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4a696eef-0953-4f0f-80c7-e41d2f463312"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#04b46bae-8093-49ec-a566-b7454c73a9f2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4909e3f7-fac2-4f89-a800-659589a33b8e"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#28de7352-21b8-4578-b18e-d4d3a0d38f4d"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4909e3f7-fac2-4f89-a800-659589a33b8e"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#4a696eef-0953-4f0f-80c7-e41d2f463312"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.124.Final"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#02ca195e-d504-4259-a3ff-dc4074afa174"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#77b458d4-7bcb-4ce1-8673-57262b34396e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#48a08c64-2940-492c-aa2d-f5f803b6972e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#20c1be3f-9673-4ccf-a862-c87e58e8cbf0"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#48a08c64-2940-492c-aa2d-f5f803b6972e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#02ca195e-d504-4259-a3ff-dc4074afa174"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#77b458d4-7bcb-4ce1-8673-57262b34396e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#48a08c64-2940-492c-aa2d-f5f803b6972e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#02ca195e-d504-4259-a3ff-dc4074afa174"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#48a08c64-2940-492c-aa2d-f5f803b6972e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#48a08c64-2940-492c-aa2d-f5f803b6972e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#77b458d4-7bcb-4ce1-8673-57262b34396e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#20c1be3f-9673-4ccf-a862-c87e58e8cbf0"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#02ca195e-d504-4259-a3ff-dc4074afa174"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#20c1be3f-9673-4ccf-a862-c87e58e8cbf0"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#48a08c64-2940-492c-aa2d-f5f803b6972e"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/io.netty/netty-transport-native-epoll@4.1.124.Final"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-45673",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 6.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 6.8,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
        }
      ],
      "cwes": [
        330,
        340
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-resolver-dns to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-45673"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-45673"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45673"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45673"
        }
      ],
      "published": "2026-06-12T15:16:27+00:00",
      "updated": "2026-06-15T02:14:01+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-45674",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 8.7,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 10,
          "severity": "critical",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 8.7,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
        }
      ],
      "cwes": [
        345
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-resolver-dns to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-45674"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-45674"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45674"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45674"
        }
      ],
      "published": "2026-06-12T15:16:27+00:00",
      "updated": "2026-06-15T02:13:07+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-47244",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        400
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-codec-http2 to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-47244"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-47244"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47244"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47244"
        }
      ],
      "published": "2026-06-12T15:16:29+00:00",
      "updated": "2026-06-15T02:11:37+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "protected_by_mitigating_control",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-47691",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 8.7,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 10,
          "severity": "critical",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 8.7,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
        }
      ],
      "cwes": [
        345
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-resolver-dns to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-47691"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-47691"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47691"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47691"
        }
      ],
      "published": "2026-06-12T16:16:30+00:00",
      "updated": "2026-06-15T01:57:41+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#18fa623c-97f2-4101-848a-9b89c29b48c8"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#3c5f4eff-4ffb-41b3-8e60-6e1aa78e0524"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#6c5b8f4b-720a-41c1-9586-4fc4a538f8e1"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#2ab0e825-929a-4a1f-bff2-b98dae87df61"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#30135cf7-f006-4b51-8d55-9e240a83ff8f"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#2de95a8e-9f9f-4510-b642-b699e6f137cc"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#553bb671-909e-4f3f-b845-5116385562e2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#22648f79-09c3-435e-aa58-0f74e7a18f45"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#87628895-0e86-489f-8a5e-a76886862d93"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-resolver-dns@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2075405e-45bd-4860-8bee-68bebc25760d"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#27bb855f-e50e-4b2a-bb94-54b749754bc2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#1ff42a66-8bba-437a-a92b-dc65ed617150"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#7ecfeb8f-d958-4bba-863c-9ae07b9731b3"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0c93f25a-187e-4797-ba40-380c9ac0a2ae"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bf8b50c4-70d1-43a9-86bc-9592a1874fd1"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-48043",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        400,
        401
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-codec-http2 to version 4.1.135.Final, 4.2.15.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-48043"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-48043"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48043"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48043"
        }
      ],
      "published": "2026-06-12T16:16:30+00:00",
      "updated": "2026-06-15T01:56:42+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-50010",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "cwes": [
        347
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm=\"HTTPS\" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-handler to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-50010"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-50010"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50010"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-50010"
        }
      ],
      "published": "2026-06-12T16:16:31+00:00",
      "updated": "2026-06-15T02:31:50+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-handler@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#72043287-9221-4565-aced-14f10ef0c080"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#174a307d-411c-49ef-a40c-4ebf7aa06118"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#612df5df-78b6-4172-8d4e-21c1499656ce"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#ad744a64-9d97-4ec9-8369-b16af60082f6"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#cda4847a-ea87-4258-9e18-3564d8bca557"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#1a132d28-6bab-4a08-b962-ec8c2803b8b9"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#0eaab6ef-4e27-49cc-a774-211fc517639a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4b56481f-1987-4b49-ba7a-c8f2f99ddd7d"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#43cf0c2d-61ca-4dae-b855-2e41a7f20f4a"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-handler@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#6a306e73-618d-46f6-a6d8-da7e769a2d5e"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#2eae0b79-6fa9-40b8-8a46-8163ba22fb4b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#5c4d6cde-fa3e-465f-be96-648954d19a07"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#a12929b6-f890-4820-a000-41bbf0b25e0b"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#bdbf3df1-3197-4162-a1b2-2aeedf14c014"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#210267f2-6c31-4caf-a5ff-991dde77f710"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": "Code present in ce-kafka, ksql, and schroedinger telemetry-client\nCode unreachable in ksql, telemetry-client. In ce-kafka, there is a mitigation in place for ce-kafka client. \nMetrics client is affected via shaded netty, this only  CP in very limited configurations. "
      }
    },
    {
      "id": "CVE-2026-50020",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
        }
      ],
      "cwes": [
        444
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00\u20130x1F and 0x7F) as well as all whitespace. RFC 9112 \u00a72.2 only asks servers to ignore empty CRLF lines preceding the request-line \u2014 a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-codec-http to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-50020"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-50020"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50020"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-50020"
        }
      ],
      "published": "2026-06-12T16:16:31+00:00",
      "updated": "2026-06-15T02:31:10+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-codec-http@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#08914192-65c5-40cd-a880-48cd60988bff"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#41d9d145-3ae9-44f5-9f90-2232c781bd39"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#08914192-65c5-40cd-a880-48cd60988bff"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#08914192-65c5-40cd-a880-48cd60988bff"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#41d9d145-3ae9-44f5-9f90-2232c781bd39"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#08914192-65c5-40cd-a880-48cd60988bff"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#41d9d145-3ae9-44f5-9f90-2232c781bd39"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#08914192-65c5-40cd-a880-48cd60988bff"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#797a00df-f8fb-4034-95dd-f6c6546e9245"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#797a00df-f8fb-4034-95dd-f6c6546e9245"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#797a00df-f8fb-4034-95dd-f6c6546e9245"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#797a00df-f8fb-4034-95dd-f6c6546e9245"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#797a00df-f8fb-4034-95dd-f6c6546e9245"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#23754c02-d0ba-472f-b64c-28d9c045a691"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#254d3198-29c1-42c4-ad7f-304b7e854b0c"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#23754c02-d0ba-472f-b64c-28d9c045a691"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#23754c02-d0ba-472f-b64c-28d9c045a691"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#254d3198-29c1-42c4-ad7f-304b7e854b0c"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#23754c02-d0ba-472f-b64c-28d9c045a691"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#254d3198-29c1-42c4-ad7f-304b7e854b0c"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#23754c02-d0ba-472f-b64c-28d9c045a691"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#16778863-5a55-48a0-80d0-f971904f62b6"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#19223d10-94db-4a06-b082-beb9a84949ab"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#16778863-5a55-48a0-80d0-f971904f62b6"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#16778863-5a55-48a0-80d0-f971904f62b6"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#19223d10-94db-4a06-b082-beb9a84949ab"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#16778863-5a55-48a0-80d0-f971904f62b6"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#19223d10-94db-4a06-b082-beb9a84949ab"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#16778863-5a55-48a0-80d0-f971904f62b6"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#1269426e-3e57-4627-814e-fc4cb02ca6da"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4d3a89a3-6a1e-403a-bb92-65d3060515a5"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#1269426e-3e57-4627-814e-fc4cb02ca6da"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#1269426e-3e57-4627-814e-fc4cb02ca6da"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4d3a89a3-6a1e-403a-bb92-65d3060515a5"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#1269426e-3e57-4627-814e-fc4cb02ca6da"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#4d3a89a3-6a1e-403a-bb92-65d3060515a5"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#1269426e-3e57-4627-814e-fc4cb02ca6da"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#a0c7a153-34e3-471a-88ea-8a64770f8f09"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#62bdb0b6-67d2-4b32-a176-73adc0f8b725"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#a0c7a153-34e3-471a-88ea-8a64770f8f09"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#a0c7a153-34e3-471a-88ea-8a64770f8f09"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#62bdb0b6-67d2-4b32-a176-73adc0f8b725"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#a0c7a153-34e3-471a-88ea-8a64770f8f09"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#62bdb0b6-67d2-4b32-a176-73adc0f8b725"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#a0c7a153-34e3-471a-88ea-8a64770f8f09"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#13190b17-696e-4a0d-a0ea-1b7aa6c18232"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#03d741da-dc35-44c1-88ea-5826c148abe7"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#13190b17-696e-4a0d-a0ea-1b7aa6c18232"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#13190b17-696e-4a0d-a0ea-1b7aa6c18232"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#03d741da-dc35-44c1-88ea-5826c148abe7"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#13190b17-696e-4a0d-a0ea-1b7aa6c18232"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#03d741da-dc35-44c1-88ea-5826c148abe7"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#13190b17-696e-4a0d-a0ea-1b7aa6c18232"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#01e38a45-533f-4000-be0a-a21274f5619c"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#7e08e1b5-9418-4230-a40d-7bf7fb559f0d"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#01e38a45-533f-4000-be0a-a21274f5619c"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#01e38a45-533f-4000-be0a-a21274f5619c"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#7e08e1b5-9418-4230-a40d-7bf7fb559f0d"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#01e38a45-533f-4000-be0a-a21274f5619c"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#7e08e1b5-9418-4230-a40d-7bf7fb559f0d"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#01e38a45-533f-4000-be0a-a21274f5619c"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-50560",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        770
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-codec-http2 to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-50560"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-50560"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50560"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-50560"
        },
        {
          "url": "https://www.rfc-editor.org/rfc/rfc9113.html#name-defined-settings"
        }
      ],
      "published": "2026-06-12T16:16:32+00:00",
      "updated": "2026-06-15T02:30:57+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.2.13.Final",
          "versions": [
            {
              "version": "4.2.13.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/io.netty/netty-codec-http2@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#5def9c06-1283-4a83-8e83-ceb21cc43888"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#4ed9d18a-d911-41fb-9716-33ee8dd67b26"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:cc5a8328-7053-4940-936c-7ca5ba6f0cbf/1#2e99a8b8-14f9-4993-847e-4425a1dbdca0"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:3f05c70d-515b-4d1f-bdc4-ca66a73e35c1/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:903d7273-c0fc-4f31-b137-276d79bd35f2/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#57449450-2dc8-4779-bc0d-834d0bbdfb57"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#0986899c-44af-4b7e-8116-a1fd1e13b3d2"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#44c750fa-34eb-4bd7-a316-e37eec19db0a"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#04e9f70b-7df9-492c-87cf-ab724d9adae0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#03e8e923-ece6-4e4e-ba7a-415259a550e0"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#058b2cf7-7576-4942-be09-83825a255dfd"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.2.13.Final"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/io.netty/netty-codec-http2@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#1d7632da-d1a8-4a4d-b27d-a4ab712ffdaa"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#3d4407a0-f7cd-4155-b40c-7be8aae8a50b"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#59bbd229-5082-46fb-91f9-b11b3e32fc69"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#0617d43b-b4e9-41ff-9f26-0ba3eef3fac6"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#0276376b-467e-442e-bbb7-c328b2738218"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#9ec88d4d-023c-4a60-b7f3-0c605e850f53"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-8149",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [],
      "cwes": [
        1068
      ],
      "description": "A vulnerability in Legion of the Bouncy Castle Inc. BC-LTS on Linux, X86_64, AVX, AVX-512f.\n\n This vulnerability is associated with program files gcm128w, gcm512w.\n\n\n\nThis issue affects BC-LTS: from 2.73.0 before 2.73.11.",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-8149"
        },
        {
          "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%908149"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8149"
        }
      ],
      "published": "2026-05-08T07:16:29+00:00",
      "updated": "2026-05-19T00:16:37+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.bouncycastle/bc-fips@2.1.2",
          "versions": [
            {
              "version": "2.1.2",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:729528fa-afa5-4ea2-b406-16d576141c6b/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:70363cd5-a2a1-4f72-b5a2-df6062b75a3f/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:09ae0c62-9cdf-48da-8c6e-3a7bde4c8f97/1#4684bd7f-4527-4b9d-83ed-5744bd8b9dce"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:ea11109a-85af-4e1e-8117-8849cf99e986/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:b17dbf8f-31a6-4354-b5ba-65b19a00d2e5/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/org.bouncycastle/bc-fips@2.1.2"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "GHSA-2r2c-cx56-8933",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "description": "### Summary\n\nThe JLine3 Telnet server (`remote-telnet` module) does not apply an upper bound to\nterminal dimensions received via the Telnet NAWS (Negotiate About Window Size) option.\nAn unauthenticated remote attacker can send a NAWS subnegotiation advertising a\n65535\u00d765535 terminal and repeatedly alternate values to trigger continuous, expensive\nrendering work on the server, causing CPU exhaustion and denial of service.\n\n### Details\n\n`TelnetIO.handleNAWS()` (TelnetIO.java:856-879) reads the client-supplied width and\nheight as 16-bit unsigned integers and passes them to `setTerminalGeometry()`:\n\n```java\n// TelnetIO.java:869-875\nprivate void setTerminalGeometry(int columns, int rows) {\n    if (columns < SMALLEST_BELIEVABLE_WIDTH) columns = DEFAULT_WIDTH;  // lower bound only\n    if (rows    < SMALLEST_BELIEVABLE_HEIGHT) rows    = DEFAULT_HEIGHT;\n    connectionData.setTerminalGeometry(columns, rows);\n    connection.processConnectionEvent(\n        new ConnectionEvent(connection, ConnectionEvent.Type.CONNECTION_TERMINAL_GEOMETRY_CHANGED));\n}\n```\n\nOnly a *lower* bound is enforced (minimum 20 columns / 6 rows). Values up to 65535 are\naccepted and stored. The geometry change event propagates to Telnet.java:153-158 where\nit calls:\n\n    terminal.setSize(new Size(65535, 65535));\n    terminal.raise(Signal.WINCH);\n\nThe WINCH signal triggers `LineReaderImpl.handleSignal()` \u2192 `redisplay()`. Inside\n`redisplay()`, multiple paths iterate up to `size.getColumns()` times:\n\n- `freshLine()` (LineReaderImpl.java:937,953): loops `size.getColumns()-1` = **65534\n  iterations**, building and writing a space-padding string across the network socket.\n- `columnSplitLength(terminal, size.getColumns(), ...)`: called multiple times,\n  each processing all characters against the 65535-wide line width.\n\nBecause WINCH only fires on *change*, the attacker alternates between two large values\n(e.g., 65535 and 65534) to trigger an unlimited stream of expensive render cycles.\nNo authentication is required; the NAWS option is negotiated before any login sequence.\n\nAffected source files:\n- `remote-telnet/src/main/java/org/jline/builtins/telnet/TelnetIO.java` lines 856-879\n- `remote-telnet/src/main/java/org/jline/builtins/telnet/Telnet.java` lines 140-175\n- `reader/src/main/java/org/jline/reader/impl/LineReaderImpl.java` lines 929-962, 1293-1313\n\n### PoC\n\nSend the following two raw Telnet packets in a loop to a running JLine Telnet server.\nNo login or authentication is required.\n\nPacket 1 \u2014 NAWS 65535 \u00d7 65535:\n  FF FA 1F FF FF FF FF FF F0\n  (IAC SB NAWS 0xFF 0xFF 0xFF 0xFF IAC SE)\n\nPacket 2 \u2014 NAWS 65534 \u00d7 65534:\n  FF FA 1F FF FE FF FE FF F0\n  (IAC SB NAWS 0xFF 0xFE 0xFF 0xFE IAC SE)\n\nSending these alternately at ~10 packets/second is sufficient to peg one CPU core on\nthe server. The server remains in this state for as long as the connection is open.\n\nReproduction environment:\n- JLine3 built from current master on x86_64 Linux, OpenJDK 25.0.2\n- `remote-telnet` module started with its default `Telnet` server configuration\n- Test confirmed by source-code analysis and tracing the call chain at runtime\n\n### Impact\n\n**Type**: Denial of Service (CPU exhaustion)\n**Who is affected**: Any application that embeds the JLine3 `remote-telnet` module and\nexposes its Telnet server on a network interface. The attacker requires no credentials.\nA single connection making ~10 alternating NAWS packets per second fully occupies the\nconnection-handling thread and produces continuous I/O on the server's output stream.\nBecause connection threads are re-used for the life of the session, one attacker per\navailable connection slot can deny service to all users of that slot.\n\n### Credits\nThis issue was identified by Micha\u0142 Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.",
      "recommendation": "Upgrade org.jline:jline-remote-telnet to version 4.2.1",
      "advisories": [
        {
          "url": "https://github.com/advisories/GHSA-2r2c-cx56-8933"
        },
        {
          "url": "https://github.com/jline/jline3"
        },
        {
          "url": "https://github.com/jline/jline3/security/advisories/GHSA-2r2c-cx56-8933"
        }
      ],
      "published": "2026-06-18T13:07:16+00:00",
      "updated": "2026-06-18T13:07:16+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.jline/jline-remote-telnet@3.30.4",
          "versions": [
            {
              "version": "3.30.4",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/org.jline/jline-remote-telnet@3.25.0",
          "versions": [
            {
              "version": "3.25.0",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/org.jline/jline-remote-telnet@3.25.0"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/org.jline/jline-remote-telnet@3.25.0"
        },
        {
          "ref": "urn:cdx:f8f22857-bcb7-47be-8a28-397113b04b6c/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/org.jline/jline-remote-telnet@3.25.0"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/org.jline/jline-remote-telnet@3.25.0"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "GHSA-47qp-hqvx-6r3f",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "description": "### Summary\n\nThe JLine3 Telnet server (`remote-telnet` module) does not limit the number of\nenvironment variables a client may inject via the Telnet NEW-ENVIRON option. An\nunauthenticated attacker can flood the server with a large number of unique\nvariable pairs before sending the terminating IAC SE byte, exhausting JVM heap\nmemory and causing an OutOfMemoryError (denial of service). Approximately 3\u20134 MB of\nnetwork traffic is sufficient to consume a 512 MB JVM heap.\n\n### Details\n\n`TelnetIO.readNEVariables()` (TelnetIO.java:1127-1180) processes incoming NEW-ENVIRON\nvariable pairs in a loop and stores each pair in a `HashMap` held by `ConnectionData`:\n\n```java\n// TelnetIO.java:1139-1178\nboolean cont = true;\nif (i == NE_VAR || i == NE_USERVAR) {\n    do {\n        switch (readNEVariableName(sbuf)) {\n            case NE_VAR_OK:\n                TelnetIO.this.connectionData.getEnvironment().put(str, sbuf.toString());\n                // \u2190 no per-connection count limit\n                break;\n            case NE_VAR_UNDEFINED:\n                break; // cont remains true, loop continues\n        }\n    } while (cont);  // cont is never set to false; only exits via return\n}\n```\n\nThe variable accumulator map is a plain `HashMap` initialized with capacity 20 and\n**no maximum size**:\n\n```java\n// ConnectionData.java:98\nenvironment = new HashMap<String, String>(20);\n```\n\nPer-variable limits exist (name: max 50 chars, value: max 1000 chars), but there is no\ncap on the *count* of variables. Each map entry occupies approximately 2 KB of heap\n(String headers + `Map.Entry` + backing char arrays). On a JVM with a 512 MB heap,\napproximately 250,000 unique entries trigger an `OutOfMemoryError`.\n\nNetwork cost: using sequential 1-byte names (e.g., `\\x01`, `\\x02`, ...) and 1-byte\nvalues, each variable pair requires roughly 13 protocol bytes. Sending 250,000 pairs\nrequires only ~3.25 MB of network traffic \u2014 feasible in seconds over any reasonable\nnetwork connection.\n\nNo authentication is required. NEW-ENVIRON negotiation occurs before login.\n\nAffected source files:\n- `remote-telnet/src/main/java/org/jline/builtins/telnet/TelnetIO.java` lines 1127-1180\n- `remote-telnet/src/main/java/org/jline/builtins/telnet/ConnectionData.java` line 98\n\n### PoC\n\nConnect to the JLine3 Telnet server and, after completing WILL/DO option negotiation,\nsend a NEW-ENVIRON SEND subneg followed by a single large IS subneg containing\nthousands of unique variable pairs before the final IAC SE.\n\nProtocol structure (no authentication required):\n1. Standard Telnet option negotiation (IAC DO NEW-ENVIRON, IAC WILL NEW-ENVIRON)\n2. Server sends IAC SB NEW-ENVIRON SEND IAC SE\n3. Client responds with: IAC SB NEW-ENVIRON IS\n     [NE_VAR 0x01 NE_VALUE 0x01]  \u2190 variable pair 1\n     [NE_VAR 0x02 NE_VALUE 0x01]  \u2190 variable pair 2\n     ... repeated N times ...\n     IAC SE                        \u2190 only sent after N pairs\n\nEach iteration adds one entry to the per-connection environment map. The connection\nthread blocks reading from the socket while accumulating pairs, so the attacker\ncontrols the timing of the OOM.\n\nReproduction environment:\n- JLine3 built from current master on x86_64 Linux, OpenJDK 25.0.2\n- `remote-telnet` module started with its default configuration\n- Confirmed by source-code analysis; loop exit condition and missing count guard\n  verified by inspection of `readNEVariables()` and `ConnectionData` constructor\n\n### Impact\n\n**Type**: Denial of Service (heap memory exhaustion / OutOfMemoryError)\n**Who is affected**: Any application embedding the JLine3 `remote-telnet` module and\nexposing its Telnet server. No credentials are required. A single connection can exhaust\nthe entire JVM heap, crashing the host process or triggering JVM out-of-memory\nhandling that impacts all users sharing that JVM instance.\n\n### Credits \n\nThis issue was identified by Micha\u0142 Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.",
      "recommendation": "Upgrade org.jline:jline-remote-telnet to version 4.2.1",
      "advisories": [
        {
          "url": "https://github.com/advisories/GHSA-47qp-hqvx-6r3f"
        },
        {
          "url": "https://github.com/jline/jline3"
        },
        {
          "url": "https://github.com/jline/jline3/security/advisories/GHSA-47qp-hqvx-6r3f"
        }
      ],
      "published": "2026-06-18T13:07:25+00:00",
      "updated": "2026-06-18T13:07:25+00:00",
      "affects": [
        {
          "ref": "pkg:maven/org.jline/jline-remote-telnet@3.30.4",
          "versions": [
            {
              "version": "3.30.4",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:maven/org.jline/jline-remote-telnet@3.25.0",
          "versions": [
            {
              "version": "3.25.0",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/org.jline/jline-remote-telnet@3.25.0"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/org.jline/jline-remote-telnet@3.25.0"
        },
        {
          "ref": "urn:cdx:f8f22857-bcb7-47be-8a28-397113b04b6c/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/org.jline/jline-remote-telnet@3.25.0"
        },
        {
          "ref": "urn:cdx:526c16ed-2806-4262-98c0-e1b6ab29352b/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:d72a1ad1-eec9-4152-bd84-8176f4c188d6/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:5d03e3dc-c2b8-4179-a16d-cc5aeb6b15a7/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:66267501-954a-4f0c-8363-c44473b0b206/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:2172c73a-9106-4f0f-9d6e-5c94bed70204/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:9431c823-40f4-4283-a88a-e6d8e50cb6db/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:178354b8-2324-45bf-a433-4c6b646c89ca/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/org.jline/jline-remote-telnet@3.25.0"
        },
        {
          "ref": "urn:cdx:5effc8ff-b2b5-47db-8711-ef37efe26633/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:62a49eef-fdac-4afc-a4ec-fcf4bcb08a90/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        },
        {
          "ref": "urn:cdx:a2276cbb-77b4-49c7-ac24-26a0671a9b58/1#pkg:maven/org.jline/jline-remote-telnet@3.30.4"
        }
      ],
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "update"
        ],
        "detail": null
      }
    },
    {
      "id": "CVE-2026-44893",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        703
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-codec-haproxy to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-44893"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-44893"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-cc37-9q2j-3hfv"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44893"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44893"
        }
      ],
      "published": "2026-06-12T15:16:26+00:00",
      "updated": "2026-06-15T02:23:31+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    },
    {
      "id": "CVE-2026-48059",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
      },
      "ratings": [
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "cwes": [
        401
      ],
      "description": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path \u2014 no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.",
      "recommendation": "Upgrade io.netty:netty-codec-haproxy to version 4.2.15.Final, 4.1.135.Final",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2026-48059"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2026-48059"
        },
        {
          "url": "https://github.com/netty/netty"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        },
        {
          "url": "https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48059"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48059"
        }
      ],
      "published": "2026-06-12T16:16:30+00:00",
      "updated": "2026-06-15T01:56:30+00:00",
      "affects": [
        {
          "ref": "pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final",
          "versions": [
            {
              "version": "4.1.133.Final",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "urn:cdx:55dff4ec-95a8-48ec-962d-f06a860de3f2/1#pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:faa754f6-5c8d-4cb0-9d4b-38a1e9fbcc96/1#pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:513b8e65-769e-48a2-b12d-94929f3ed867/1#pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final"
        },
        {
          "ref": "urn:cdx:9e55cd19-7a99-4388-9a6b-81bc3fe2b9de/1#pkg:maven/io.netty/netty-codec-haproxy@4.1.133.Final"
        }
      ],
      "analysis": {
        "state": "in_triage",
        "justification": "",
        "response": [],
        "detail": "This CVE is under investigation by Confluent."
      }
    }
  ],
  "component": []
}