Filtered by vendor Redhat Subscriptions
Total 20578 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-5547 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2024-09-04 3.3 Low
The course upload preview contained an XSS risk for users uploading unsafe data.
CVE-2023-6717 1 Redhat 15 Amq Broker, Build Keycloak, Jboss Data Grid and 12 more 2024-09-04 6 Medium
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
CVE-2024-4629 1 Redhat 3 Build Keycloak, Jboss Enterprise Application Platform, Red Hat Single Sign On 2024-09-04 6.5 Medium
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
CVE-2024-0874 1 Redhat 3 Acm, Logging, Openshift 2024-09-04 5.3 Medium
A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.
CVE-2022-0185 3 Linux, Netapp, Redhat 20 Linux Kernel, H300e, H300e Firmware and 17 more 2024-09-04 8.4 High
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
CVE-2024-38095 2 Microsoft, Redhat 5 .net, Powershell, Visual Studio and 2 more 2024-09-03 7.5 High
.NET and Visual Studio Denial of Service Vulnerability
CVE-2024-30105 2 Microsoft, Redhat 5 .net, Powershell, Visual Studio and 2 more 2024-09-03 7.5 High
.NET Core and Visual Studio Denial of Service Vulnerability
CVE-2024-35264 2 Microsoft, Redhat 4 .net, Visual Studio, Visual Studio 2022 and 1 more 2024-09-03 8.1 High
.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2023-41993 7 Apple, Debian, Fedoraproject and 4 more 14 Ipados, Iphone Os, Macos and 11 more 2024-09-03 8.8 High
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
CVE-2024-33663 1 Redhat 1 Ansible Automation Platform 2024-09-03 6.5 Medium
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
CVE-2024-5154 1 Redhat 2 Enterprise Linux, Openshift 2024-09-03 8.1 High
A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.
CVE-2024-5203 1 Redhat 2 Build Keycloak, Red Hat Single Sign On 2024-09-03 3.7 Low
A Cross-site request forgery (CSRF) flaw was found in Keycloak and occurs due to the lack of a unique token sent during the authentication POST request, /login-actions/authenticate. This flaw allows an attacker to craft a malicious login page and trick a legitimate user of an application into authenticating with an attacker-controlled account instead of their own.
CVE-2024-42005 2 Djangoproject, Redhat 2 Django, Ansible Automation Platform 2024-09-03 9.8 Critical
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
CVE-2024-21055 2 Oracle, Redhat 3 Mysql Server, Enterprise Linux, Rhel Software Collections 2024-09-03 4.9 Medium
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2024-31080 1 Redhat 5 Enterprise Linux, Rhel Aus, Rhel E4s and 2 more 2024-09-03 7.3 High
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2023-47108 2 Opentelemetry, Redhat 5 Opentelemetry, Acm, Openshift and 2 more 2024-09-03 7.5 High
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.
CVE-2023-5992 2 Opensc Project, Redhat 2 Opensc, Enterprise Linux 2024-09-03 5.6 Medium
A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data.
CVE-2024-5148 1 Redhat 1 Enterprise Linux 2024-09-03 7.5 High
A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP TLS certificate and key can be exposed to unauthorized users. This flaw allows a malicious user on the system to take control of the RDP client connection during the login screen-to-user session transition.
CVE-2022-4145 1 Redhat 2 Openshift, Openshift Container Platform 2024-09-03 4.3 Medium
A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.
CVE-2024-8285 1 Redhat 1 Amq Streams 2024-09-03 7.3 High
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.