Filtered by vendor Redhat Subscriptions
Filtered by product Openshift Container Platform Subscriptions
Total 237 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-14892 3 Apache, Fasterxml, Redhat 13 Geode, Jackson-databind, Decision Manager and 10 more 2024-08-05 9.8 Critical
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2019-14819 1 Redhat 2 Openshift, Openshift Container Platform 2024-08-05 8.8 High
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.
CVE-2019-14813 5 Artifex, Debian, Fedoraproject and 2 more 13 Ghostscript, Debian Linux, Fedora and 10 more 2024-08-05 9.8 Critical
A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
CVE-2019-14811 5 Artifex, Debian, Fedoraproject and 2 more 7 Ghostscript, Debian Linux, Fedora and 4 more 2024-08-05 7.8 High
A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
CVE-2019-14379 7 Apple, Debian, Fasterxml and 4 more 37 Xcode, Debian Linux, Jackson-databind and 34 more 2024-08-05 9.8 Critical
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVE-2019-14287 7 Canonical, Debian, Fedoraproject and 4 more 21 Ubuntu Linux, Debian Linux, Fedora and 18 more 2024-08-05 8.8 High
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
CVE-2019-13734 8 Canonical, Debian, Fedoraproject and 5 more 20 Ubuntu Linux, Debian Linux, Fedora and 17 more 2024-08-05 8.8 High
Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2019-11244 3 Kubernetes, Netapp, Redhat 4 Kubernetes, Trident, Openshift and 1 more 2024-08-04 5.0 Medium
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.
CVE-2019-10384 3 Jenkins, Oracle, Redhat 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more 2024-08-04 8.8 High
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
CVE-2019-10383 3 Jenkins, Oracle, Redhat 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more 2024-08-04 4.8 Medium
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
CVE-2019-10356 2 Jenkins, Redhat 3 Script Security, Openshift, Openshift Container Platform 2024-08-04 8.8 High
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10357 2 Jenkins, Redhat 3 Pipeline\, Openshift, Openshift Container Platform 2024-08-04 4.3 Medium
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.
CVE-2019-10355 2 Jenkins, Redhat 3 Script Security, Openshift, Openshift Container Platform 2024-08-04 8.8 High
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-10354 2 Jenkins, Redhat 3 Jenkins, Openshift, Openshift Container Platform 2024-08-04 4.3 Medium
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.
CVE-2019-10225 1 Redhat 2 Openshift, Openshift Container Platform 2024-08-04 6.3 Medium
A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files.
CVE-2019-10200 1 Redhat 1 Openshift Container Platform 2024-08-04 7.2 High
A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high.
CVE-2019-10223 3 Kubernetes, Linux, Redhat 3 Kube-state-metrics, Linux Kernel, Openshift Container Platform 2024-08-04 6.5 Medium
A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release as soon as possible.
CVE-2019-10214 5 Buildah Project, Libpod Project, Opensuse and 2 more 7 Buildah, Libpod, Leap and 4 more 2024-08-04 5.9 Medium
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
CVE-2019-10213 1 Redhat 3 Enterprise Linux, Openshift, Openshift Container Platform 2024-08-04 6.5 Medium
OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.
CVE-2019-10165 1 Redhat 2 Openshift, Openshift Container Platform 2024-08-04 2.3 Low
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.