Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift Data Foundation
Subscriptions
Total
132 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3089 | 2 Devworkspace, Redhat | 18 1.0, Acm, Amq Streams and 15 more | 2024-08-02 | 7 High |
| A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. | ||||
| CVE-2023-2121 | 2 Hashicorp, Redhat | 2 Vault, Openshift Data Foundation | 2024-08-02 | 4.3 Medium |
| Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. | ||||
| CVE-2023-0665 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-08-02 | 6.5 Medium |
| HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9. | ||||
| CVE-2023-0620 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-08-02 | 6.5 Medium |
| HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin through the local, certain parameters are not sanitized when passed to the user-provided MSSQL database. An attacker may modify these parameters to execute a malicious SQL command. This issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9. | ||||
| CVE-2024-37890 | 2 Redhat, Websockets | 2 Openshift Data Foundation, Ws | 2024-08-02 | 7.5 High |
| ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied. | ||||
| CVE-2024-28176 | 1 Redhat | 4 Enterprise Linux, Openshift, Openshift Data Foundation and 1 more | 2024-08-02 | 4.9 Medium |
| jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5. | ||||
| CVE-2024-24786 | 1 Redhat | 20 Acm, Container Native Virtualization, Enterprise Linux and 17 more | 2024-08-01 | 5.9 Medium |
| The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | ||||
| CVE-2024-24783 | 1 Redhat | 20 Advanced Cluster Security, Ansible Automation Platform, Cryostat and 17 more | 2024-08-01 | 5.9 Medium |
| Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. | ||||
| CVE-2024-24789 | 2 Golang, Redhat | 9 Go, Enterprise Linux, Network Observ Optr and 6 more | 2024-08-01 | 5.5 Medium |
| The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. | ||||
| CVE-2024-24785 | 1 Redhat | 16 Enterprise Linux, Kube Descheduler Operator, Logging and 13 more | 2024-08-01 | 6.5 Medium |
| If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. | ||||
| CVE-2024-24788 | 1 Redhat | 9 Ansible Automation Platform, Cost Management, Cryostat and 6 more | 2024-08-01 | 7.5 High |
| A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | ||||
| CVE-2024-6104 | 2 Hashicorp, Redhat | 8 Retryablehttp, Advanced Cluster Security, Enterprise Linux and 5 more | 2024-08-01 | 6 Medium |
| go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | ||||