Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift
Subscriptions
Total
975 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-10394 | 2 Jenkins, Redhat | 2 Script Security, Openshift | 2024-11-21 | 4.2 Medium |
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts. | ||||
CVE-2019-10393 | 2 Jenkins, Redhat | 2 Script Security, Openshift | 2024-11-21 | 4.2 Medium |
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts. | ||||
CVE-2019-10392 | 2 Jenkins, Redhat | 2 Git Client, Openshift | 2024-11-21 | 8.8 High |
Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection. | ||||
CVE-2019-10384 | 3 Jenkins, Oracle, Redhat | 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more | 2024-11-21 | 8.8 High |
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. | ||||
CVE-2019-10383 | 3 Jenkins, Oracle, Redhat | 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more | 2024-11-21 | 4.8 Medium |
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages. | ||||
CVE-2019-10357 | 2 Jenkins, Redhat | 3 Pipeline\, Openshift, Openshift Container Platform | 2024-11-21 | 4.3 Medium |
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries. | ||||
CVE-2019-10356 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-11-21 | 8.8 High |
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts. | ||||
CVE-2019-10355 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-11-21 | 8.8 High |
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts. | ||||
CVE-2019-10354 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2024-11-21 | 4.3 Medium |
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. | ||||
CVE-2019-10353 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | N/A |
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection. | ||||
CVE-2019-10352 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | N/A |
A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build. | ||||
CVE-2019-10337 | 2 Jenkins, Redhat | 2 Token Macro, Openshift | 2024-11-21 | N/A |
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. | ||||
CVE-2019-10328 | 2 Jenkins, Redhat | 2 Pipeline Remote Loader, Openshift | 2024-11-21 | N/A |
Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. | ||||
CVE-2019-10320 | 2 Jenkins, Redhat | 2 Credentials, Openshift | 2024-11-21 | N/A |
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate. | ||||
CVE-2019-10225 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | 6.3 Medium |
A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files. | ||||
CVE-2019-10215 | 2 Bootstrap-3-typeahead Project, Redhat | 2 Bootstrap-3-typeahead, Openshift | 2024-11-21 | 6.1 Medium |
Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser. | ||||
CVE-2019-10214 | 5 Buildah Project, Libpod Project, Opensuse and 2 more | 7 Buildah, Libpod, Leap and 4 more | 2024-11-21 | 5.9 Medium |
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. | ||||
CVE-2019-10213 | 1 Redhat | 3 Enterprise Linux, Openshift, Openshift Container Platform | 2024-11-21 | 6.5 Medium |
OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user. | ||||
CVE-2019-10176 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | N/A |
A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack. | ||||
CVE-2019-10165 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | 2.3 Low |
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources. |