Filtered by vendor Redhat Subscriptions
Filtered by product Openshift Container Platform Subscriptions
Total 237 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-27781 2 Fedoraproject, Redhat 6 Fedora, Ceph, Ceph Storage and 3 more 2024-08-04 7.1 High
User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.
CVE-2020-27846 4 Fedoraproject, Grafana, Redhat and 1 more 7 Fedora, Grafana, Enterprise Linux and 4 more 2024-08-04 9.8 Critical
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27836 1 Redhat 3 Enterprise Linux, Openshift, Openshift Container Platform 2024-08-04 9.8 Critical
A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability..
CVE-2020-27777 2 Linux, Redhat 3 Linux Kernel, Enterprise Linux, Openshift Container Platform 2024-08-04 6.7 Medium
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.
CVE-2020-25660 2 Fedoraproject, Redhat 5 Fedora, Ceph, Ceph Storage and 2 more 2024-08-04 8.8 High
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph service via a packet sniffer and perform actions allowed by the Ceph service. This issue is a reintroduction of CVE-2018-1128, affecting the msgr2 protocol. The msgr 2 protocol is used for all communication except older clients that do not support the msgr2 protocol. The msgr1 protocol is not affected. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
CVE-2020-25639 3 Fedoraproject, Linux, Redhat 5 Fedora, Linux Kernel, Enterprise Linux and 2 more 2024-08-04 4.4 Medium
A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system.
CVE-2020-14370 3 Fedoraproject, Podman Project, Redhat 6 Fedora, Podman, Enterprise Linux and 3 more 2024-08-04 5.3 Medium
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
CVE-2020-14336 1 Redhat 2 Openshift, Openshift Container Platform 2024-08-04 6.5 Medium
A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability.
CVE-2020-14298 2 Docker, Redhat 4 Docker, Enterprise Linux Server, Openshift Container Platform and 1 more 2024-08-04 8.8 High
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the container host and other containers running on the same host. This issue only affects docker version 1.13.1-108.git4ef4b30.el7, shipped in Red Hat Enterprise Linux 7 Extras. Both earlier and later versions are not affected.
CVE-2020-11100 6 Canonical, Debian, Fedoraproject and 3 more 10 Ubuntu Linux, Debian Linux, Fedora and 7 more 2024-08-04 8.8 High
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
CVE-2020-10763 2 Heketi Project, Redhat 6 Heketi, Enterprise Linux, Gluster Storage and 3 more 2024-08-04 5.5 Medium
An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.
CVE-2020-10749 3 Fedoraproject, Linuxfoundation, Redhat 7 Fedora, Cni Network Plugins, Container Native Virtualization and 4 more 2024-08-04 6 Medium
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
CVE-2020-10752 1 Redhat 1 Openshift Container Platform 2024-08-04 7.5 High
A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into the API Server with the leaked token.
CVE-2020-10743 2 Elastic, Redhat 3 Kibana, Openshift, Openshift Container Platform 2024-08-04 4.3 Medium
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.
CVE-2020-10712 1 Redhat 2 Openshift, Openshift Container Platform 2024-08-04 7 High
A flaw was found in OpenShift Container Platform version 4.1 and later. Sensitive information was found to be logged by the image registry operator allowing an attacker able to gain access to those logs, to read and write to the storage backing the internal image registry. The highest threat from this vulnerability is to data integrity.
CVE-2020-10706 1 Redhat 2 Openshift, Openshift Container Platform 2024-08-04 6.3 Medium
A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid.
CVE-2020-10696 2 Buildah Project, Redhat 5 Buildah, Enterprise Linux, Openshift and 2 more 2024-08-04 8.8 High
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
CVE-2020-8945 3 Fedoraproject, Gpgme Project, Redhat 12 Fedora, Gpgme, Enterprise Linux and 9 more 2024-08-04 7.5 High
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
CVE-2020-7013 2 Elastic, Redhat 3 Kibana, Openshift, Openshift Container Platform 2024-08-04 7.2 High
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
CVE-2020-1760 5 Canonical, Debian, Fedoraproject and 2 more 6 Ubuntu Linux, Debian Linux, Fedora and 3 more 2024-08-04 5.8 Medium
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.