Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift
Subscriptions
Total
931 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15106 | 3 Etcd, Fedoraproject, Redhat | 5 Etcd, Fedora, Openshift and 2 more | 2024-08-04 | 6.5 Medium |
| In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL. | ||||
| CVE-2020-14370 | 3 Fedoraproject, Podman Project, Redhat | 6 Fedora, Podman, Enterprise Linux and 3 more | 2024-08-04 | 5.3 Medium |
| An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables. | ||||
| CVE-2020-14336 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-08-04 | 6.5 Medium |
| A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability. | ||||
| CVE-2020-14040 | 3 Fedoraproject, Golang, Redhat | 16 Fedora, Text, 3scale Amp and 13 more | 2024-08-04 | 7.5 High |
| The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. | ||||
| CVE-2020-13822 | 2 Elliptic Project, Redhat | 3 Elliptic, Openshift, Red Hat Single Sign On | 2024-08-04 | 7.7 High |
| The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature. | ||||
| CVE-2020-13757 | 4 Canonical, Fedoraproject, Python-rsa Project and 1 more | 4 Ubuntu Linux, Fedora, Python-rsa and 1 more | 2024-08-04 | 7.5 High |
| Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). | ||||
| CVE-2020-13379 | 5 Fedoraproject, Grafana, Netapp and 2 more | 11 Fedora, Grafana, E-series Performance Analyzer and 8 more | 2024-08-04 | 8.2 High |
| The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. | ||||
| CVE-2020-12245 | 2 Grafana, Redhat | 4 Grafana, Enterprise Linux, Openshift and 1 more | 2024-08-04 | 6.1 Medium |
| Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. | ||||
| CVE-2020-12052 | 2 Grafana, Redhat | 4 Grafana, Enterprise Linux, Openshift and 1 more | 2024-08-04 | 6.1 Medium |
| Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | ||||
| CVE-2020-11979 | 5 Apache, Fedoraproject, Gradle and 2 more | 38 Ant, Fedora, Gradle and 35 more | 2024-08-04 | 7.5 High |
| As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. | ||||
| CVE-2020-11110 | 3 Grafana, Netapp, Redhat | 4 Grafana, E-series Performance Analyzer, Enterprise Linux and 1 more | 2024-08-04 | 5.4 Medium |
| Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||||
| CVE-2020-11100 | 6 Canonical, Debian, Fedoraproject and 3 more | 10 Ubuntu Linux, Debian Linux, Fedora and 7 more | 2024-08-04 | 8.8 High |
| In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. | ||||
| CVE-2020-11022 | 9 Debian, Drupal, Fedoraproject and 6 more | 88 Debian Linux, Drupal, Fedora and 85 more | 2024-08-04 | 6.9 Medium |
| In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | ||||
| CVE-2020-11023 | 8 Debian, Drupal, Fedoraproject and 5 more | 65 Debian Linux, Drupal, Fedora and 62 more | 2024-08-04 | 6.9 Medium |
| In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | ||||
| CVE-2020-10763 | 2 Heketi Project, Redhat | 6 Heketi, Enterprise Linux, Gluster Storage and 3 more | 2024-08-04 | 5.5 Medium |
| An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords. | ||||
| CVE-2020-10749 | 3 Fedoraproject, Linuxfoundation, Redhat | 7 Fedora, Cni Network Plugins, Container Native Virtualization and 4 more | 2024-08-04 | 6 Medium |
| A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container. | ||||
| CVE-2020-10743 | 2 Elastic, Redhat | 3 Kibana, Openshift, Openshift Container Platform | 2024-08-04 | 4.3 Medium |
| It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking. | ||||
| CVE-2020-10715 | 1 Redhat | 1 Openshift | 2024-08-04 | 4.3 Medium |
| A content spoofing vulnerability was found in the openshift/console 3.11 and 4.x. This flaw allows an attacker to craft a URL and inject arbitrary text onto the error page that appears to be from the OpenShift instance. This attack could potentially convince a user that the inserted text is legitimate. | ||||
| CVE-2020-10712 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-08-04 | 7 High |
| A flaw was found in OpenShift Container Platform version 4.1 and later. Sensitive information was found to be logged by the image registry operator allowing an attacker able to gain access to those logs, to read and write to the storage backing the internal image registry. The highest threat from this vulnerability is to data integrity. | ||||
| CVE-2020-10706 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-08-04 | 6.3 Medium |
| A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid. | ||||