Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift Container Platform
Subscriptions
Total
232 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-4853 | 2 Quarkus, Redhat | 21 Quarkus, Build Of Optaplanner, Build Of Quarkus and 18 more | 2024-09-16 | 8.1 High |
| A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. | ||||
| CVE-2023-5408 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-09-16 | 7.2 High |
| A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster. | ||||
| CVE-2023-4066 | 1 Redhat | 6 Amq Broker, Enterprise Linux, Jboss A-mq and 3 more | 2024-09-16 | 5.5 Medium |
| A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker. | ||||
| CVE-2023-4065 | 1 Redhat | 6 Amq Broker, Enterprise Linux, Jboss A-mq and 3 more | 2024-09-16 | 5.5 Medium |
| A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions. | ||||
| CVE-2024-6387 | 9 Amazon, Canonical, Debian and 6 more | 24 Linux 2023, Ubuntu Linux, Debian Linux and 21 more | 2024-09-14 | 8.1 High |
| A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. | ||||
| CVE-2022-4145 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-09-03 | 4.3 Medium |
| A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation. | ||||
| CVE-2022-3248 | 1 Redhat | 6 Acm, Advanced Cluster Management For Kubernetes, Ansible Automation Platform and 3 more | 2024-08-29 | 4.4 Medium |
| A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied. | ||||
| CVE-2023-44487 | 32 Akka, Amazon, Apache and 29 more | 364 Http Server, Opensearch Data Prepper, Apisix and 361 more | 2024-08-19 | 7.5 High |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | ||||
| CVE-2015-8103 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2024-08-06 | 9.8 Critical |
| The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". | ||||
| CVE-2016-1000232 | 3 Ibm, Redhat, Salesforce | 5 Api Connect, Openshift, Openshift Container Platform and 2 more | 2024-08-06 | N/A |
| NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0. | ||||
| CVE-2016-8651 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-08-06 | N/A |
| An input validation flaw was found in the way OpenShift 3 handles requests for images. A user, with a copy of the manifest associated with an image, can pull an image even if they do not have access to the image normally, resulting in the disclosure of any information contained within the image. | ||||
| CVE-2017-17485 | 4 Debian, Fasterxml, Netapp and 1 more | 15 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 12 more | 2024-08-05 | 9.8 Critical |
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | ||||
| CVE-2017-15138 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-08-05 | N/A |
| The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens. | ||||
| CVE-2017-15137 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-08-05 | N/A |
| The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed. | ||||
| CVE-2017-12195 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-08-05 | N/A |
| A flaw was found in all Openshift Enterprise versions using the openshift elasticsearch plugin. An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices. | ||||
| CVE-2017-7481 | 3 Canonical, Debian, Redhat | 14 Ubuntu Linux, Debian Linux, Ansible Engine and 11 more | 2024-08-05 | 9.8 Critical |
| Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. | ||||
| CVE-2018-1000861 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2024-08-05 | 9.8 Critical |
| A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. | ||||
| CVE-2018-1000862 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2024-08-05 | N/A |
| An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. | ||||
| CVE-2018-1000863 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2024-08-05 | N/A |
| A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. | ||||
| CVE-2018-1000865 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-08-05 | N/A |
| A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. | ||||