Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift
Subscriptions
Total
975 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-10150 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | N/A |
It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output. | ||||
CVE-2019-1003050 | 3 Jenkins, Oracle, Redhat | 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more | 2024-11-21 | 5.4 Medium |
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. | ||||
CVE-2019-1003049 | 3 Jenkins, Oracle, Redhat | 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more | 2024-11-21 | 8.1 High |
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. | ||||
CVE-2019-1003042 | 2 Jenkins, Redhat | 2 Lockable Resources, Openshift | 2024-11-21 | N/A |
A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin. | ||||
CVE-2019-1003041 | 2 Jenkins, Redhat | 3 Pipeline\, Openshift, Openshift Container Platform | 2024-11-21 | 9.8 Critical |
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. | ||||
CVE-2019-1003040 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-11-21 | 9.8 Critical |
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. | ||||
CVE-2019-1003034 | 2 Jenkins, Redhat | 3 Job Dsl, Openshift, Openshift Container Platform | 2024-11-21 | 9.9 Critical |
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM. | ||||
CVE-2019-1003031 | 2 Jenkins, Redhat | 3 Matrix Project, Openshift, Openshift Container Platform | 2024-11-21 | 9.9 Critical |
A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. | ||||
CVE-2019-1003030 | 2 Jenkins, Redhat | 3 Pipeline\, Openshift, Openshift Container Platform | 2024-11-21 | 9.9 Critical |
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM. | ||||
CVE-2019-1003029 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-11-21 | 9.9 Critical |
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. | ||||
CVE-2019-1003024 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-11-21 | 8.8 High |
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | ||||
CVE-2019-1003014 | 2 Jenkins, Redhat | 3 Config File Provider, Openshift, Openshift Container Platform | 2024-11-21 | N/A |
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file. | ||||
CVE-2019-1003013 | 2 Jenkins, Redhat | 3 Blue Ocean, Openshift, Openshift Container Platform | 2024-11-21 | N/A |
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. | ||||
CVE-2019-1003012 | 2 Jenkins, Redhat | 3 Blue Ocean, Openshift, Openshift Container Platform | 2024-11-21 | N/A |
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. | ||||
CVE-2019-1003011 | 2 Jenkins, Redhat | 3 Token Macro, Openshift, Openshift Container Platform | 2024-11-21 | 8.1 High |
An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation. | ||||
CVE-2019-1003010 | 2 Jenkins, Redhat | 3 Git, Openshift, Openshift Container Platform | 2024-11-21 | N/A |
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. | ||||
CVE-2019-1003005 | 2 Jenkins, Redhat | 2 Script Security, Openshift | 2024-11-21 | 8.8 High |
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | ||||
CVE-2019-1003004 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2024-11-21 | 7.2 High |
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time. | ||||
CVE-2019-1003003 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2024-11-21 | 7.2 High |
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts. | ||||
CVE-2019-1003002 | 2 Jenkins, Redhat | 3 Pipeline\, Openshift, Openshift Container Platform | 2024-11-21 | 8.8 High |
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. |