Filtered by vendor Redhat Subscriptions
Filtered by product Openshift Subscriptions
Total 975 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-10394 2 Jenkins, Redhat 2 Script Security, Openshift 2024-11-21 4.2 Medium
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10393 2 Jenkins, Redhat 2 Script Security, Openshift 2024-11-21 4.2 Medium
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10392 2 Jenkins, Redhat 2 Git Client, Openshift 2024-11-21 8.8 High
Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.
CVE-2019-10384 3 Jenkins, Oracle, Redhat 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more 2024-11-21 8.8 High
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
CVE-2019-10383 3 Jenkins, Oracle, Redhat 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more 2024-11-21 4.8 Medium
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
CVE-2019-10357 2 Jenkins, Redhat 3 Pipeline\, Openshift, Openshift Container Platform 2024-11-21 4.3 Medium
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.
CVE-2019-10356 2 Jenkins, Redhat 3 Script Security, Openshift, Openshift Container Platform 2024-11-21 8.8 High
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10355 2 Jenkins, Redhat 3 Script Security, Openshift, Openshift Container Platform 2024-11-21 8.8 High
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10354 2 Jenkins, Redhat 3 Jenkins, Openshift, Openshift Container Platform 2024-11-21 4.3 Medium
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.
CVE-2019-10353 2 Jenkins, Redhat 2 Jenkins, Openshift 2024-11-21 N/A
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
CVE-2019-10352 2 Jenkins, Redhat 2 Jenkins, Openshift 2024-11-21 N/A
A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
CVE-2019-10337 2 Jenkins, Redhat 2 Token Macro, Openshift 2024-11-21 N/A
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
CVE-2019-10328 2 Jenkins, Redhat 2 Pipeline Remote Loader, Openshift 2024-11-21 N/A
Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.
CVE-2019-10320 2 Jenkins, Redhat 2 Credentials, Openshift 2024-11-21 N/A
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
CVE-2019-10225 1 Redhat 2 Openshift, Openshift Container Platform 2024-11-21 6.3 Medium
A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files.
CVE-2019-10215 2 Bootstrap-3-typeahead Project, Redhat 2 Bootstrap-3-typeahead, Openshift 2024-11-21 6.1 Medium
Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.
CVE-2019-10214 5 Buildah Project, Libpod Project, Opensuse and 2 more 7 Buildah, Libpod, Leap and 4 more 2024-11-21 5.9 Medium
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
CVE-2019-10213 1 Redhat 3 Enterprise Linux, Openshift, Openshift Container Platform 2024-11-21 6.5 Medium
OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.
CVE-2019-10176 1 Redhat 2 Openshift, Openshift Container Platform 2024-11-21 N/A
A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack.
CVE-2019-10165 1 Redhat 2 Openshift, Openshift Container Platform 2024-11-21 2.3 Low
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.