{
  "threat_severity" : "Important",
  "public_date" : "2021-08-22T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-pac-resolver: remote code execution when used with untrusted input due to unsafe PAC file handling",
    "id" : "1998236",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1998236"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-94",
  "details" : [ "This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.", "A flaw was found in nodejs-pac-resolver. A remote code execution can occur with untrusted input, due to unsafe PAC file handling. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "statement" : "The Red Hat Advanced Cluster Management for Kubernetes ships with the vulnerable component. We are currently not aware of the vector to trigger the vulnerability in the affected component, furthermore the affected component is protected by user authentication lowering the potential impact of this vulnerability.",
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Fix deferred",
    "package_name" : "rhacm2/application-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/console-header-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/grc-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/mcm-topology-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-23406\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23406\nhttps://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e\nhttps://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5\nhttps://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857" ],
  "name" : "CVE-2021-23406",
  "csaw" : false
}