Updated images are now available for Red Hat Advanced Cluster Security for
 Kubernetes (RHACS). The updated image includes security fixes.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,    
 which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

This release of RHACS 4.4.8 includes security fixes. If you are
using an earlier version of RHACS 4.4, you are advised to upgrade to this
patch release 4.4.8.

Security issues fixed:

* npm-serialize-javascript: Cross-site Scripting (XSS) in serialize-javascript
 (CVE-2024-11831)

* go-git: Argument injection via the URL field (CVE-2025-21613)

* go-git: Go-git clients vulnerable to DoS via maliciously crafted Git server
 replies (CVE-2025-21614)

* golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause
 authorization bypass in golang.org/x/crypto (CVE-2024-45337)

* golang.org/x/net/html: Non-linear parsing of case-insensitive content in
 golang.org/x/net/html (CVE-2024-45338)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2024-11831: Improper Neutralization of Input During Web Page Generation
 ('Cross-site Scripting') (CWE-79)
CVE-2024-45337: Improper Authorization (CWE-285)
CVE-2024-45338: Allocation of Resources Without Limits or Throttling (CWE-770)
CVE-2025-21613: Improper Neutralization of Argument Delimiters in a Command
 ('Argument Injection') (CWE-88)
CVE-2025-21614: Allocation of Resources Without Limits or Throttling (CWE-770)