Filtered by vendor Redhat
Subscriptions
Filtered by product Container Native Virtualization
Subscriptions
Total
86 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-41190 | 3 Fedoraproject, Linuxfoundation, Redhat | 10 Fedora, Open Container Initiative Distribution Specification, Open Container Initiative Image Format Specification and 7 more | 2024-11-21 | 3 Low |
| The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. | ||||
| CVE-2021-3121 | 3 Golang, Hashicorp, Redhat | 9 Protobuf, Consul, Acm and 6 more | 2024-11-21 | 8.6 High |
| An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. | ||||
| CVE-2021-3114 | 5 Debian, Fedoraproject, Golang and 2 more | 13 Debian Linux, Fedora, Go and 10 more | 2024-11-21 | 6.5 Medium |
| In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. | ||||
| CVE-2021-38561 | 2 Golang, Redhat | 6 Text, Acm, Container Native Virtualization and 3 more | 2024-11-21 | 7.5 High |
| golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. | ||||
| CVE-2021-36221 | 6 Debian, Fedoraproject, Golang and 3 more | 15 Debian Linux, Fedora, Go and 12 more | 2024-11-21 | 5.9 Medium |
| Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. | ||||
| CVE-2021-34558 | 5 Fedoraproject, Golang, Netapp and 2 more | 19 Fedora, Go, Cloud Insights Telegraf and 16 more | 2024-11-21 | 6.5 Medium |
| The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. | ||||
| CVE-2021-33198 | 2 Golang, Redhat | 13 Go, Advanced Cluster Security, Container Native Virtualization and 10 more | 2024-11-21 | 7.5 High |
| In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | ||||
| CVE-2021-33197 | 2 Golang, Redhat | 11 Go, Advanced Cluster Security, Container Native Virtualization and 8 more | 2024-11-21 | 5.3 Medium |
| In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | ||||
| CVE-2021-33195 | 3 Golang, Netapp, Redhat | 12 Go, Cloud Insights Telegraf Agent, Advanced Cluster Security and 9 more | 2024-11-21 | 7.3 High |
| Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | ||||
| CVE-2021-31525 | 3 Fedoraproject, Golang, Redhat | 11 Fedora, Go, Advanced Cluster Security and 8 more | 2024-11-21 | 5.9 Medium |
| net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. | ||||
| CVE-2021-29923 | 4 Fedoraproject, Golang, Oracle and 1 more | 13 Fedora, Go, Timesten In-memory Database and 10 more | 2024-11-21 | 7.5 High |
| Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. | ||||
| CVE-2021-29482 | 2 Redhat, Xz Project | 6 Acm, Container Native Virtualization, Openshift Api Data Protection and 3 more | 2024-11-21 | 7.5 High |
| xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated. | ||||
| CVE-2021-20329 | 2 Mongodb, Redhat | 4 Go Driver, Container Native Virtualization, Openshift and 1 more | 2024-11-21 | 6.8 Medium |
| Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0. | ||||
| CVE-2021-20206 | 2 Linuxfoundation, Redhat | 3 Container Network Interface, Container Native Virtualization, Openshift | 2024-11-21 | 7.2 High |
| An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | ||||
| CVE-2020-9283 | 3 Debian, Golang, Redhat | 7 Debian Linux, Package Ssh, 3scale Amp and 4 more | 2024-11-21 | 7.5 High |
| golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. | ||||
| CVE-2020-29652 | 2 Golang, Redhat | 4 Ssh, Container Native Virtualization, Enterprise Linux and 1 more | 2024-11-21 | 7.5 High |
| A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. | ||||
| CVE-2020-28362 | 4 Fedoraproject, Golang, Netapp and 1 more | 12 Fedora, Go, Cloud Insights Telegraf Agent and 9 more | 2024-11-21 | 7.5 High |
| Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. | ||||
| CVE-2020-27813 | 3 Debian, Gorillatoolkit, Redhat | 4 Debian Linux, Websocket, Container Native Virtualization and 1 more | 2024-11-21 | 7.5 High |
| An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections. | ||||
| CVE-2020-26160 | 2 Jwt-go Project, Redhat | 6 Jwt-go, Container Native Virtualization, Cryostat and 3 more | 2024-11-21 | 7.5 High |
| jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. | ||||
| CVE-2020-1742 | 2 Nmstate, Redhat | 3 Kubernetes-nmstate, Container Native Virtualization, Openshift Virtualization | 2024-11-21 | 7.0 High |
| An insecure modification vulnerability flaw was found in containers using nmstate/kubernetes-nmstate-handler. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. Versions before kubernetes-nmstate-handler-container-v2.3.0-30 are affected. | ||||