Filtered by vendor Redhat Subscriptions
Filtered by product Container Native Virtualization Subscriptions
Total 85 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-3727 1 Redhat 18 Acm, Advanced Cluster Security, Ansible Automation Platform and 15 more 2024-10-16 8.3 High
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
CVE-2024-1394 1 Redhat 23 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 20 more 2024-10-14 7.5 High
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
CVE-2024-41818 3 Fast-xml-parser Project, Naturalintelligence, Redhat 4 Fast-xml-parser, Fast Xml Parser, Container Native Virtualization and 1 more 2024-10-11 7.5 High
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
CVE-2024-9355 1 Redhat 19 Amq Streams, Ansible Automation Platform, Container Native Virtualization and 16 more 2024-10-10 6.5 Medium
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.
CVE-2021-20329 2 Mongodb, Redhat 4 Go Driver, Container Native Virtualization, Openshift and 1 more 2024-09-16 6.8 Medium
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers prior to and including 1.5.0.
CVE-2024-4467 1 Redhat 7 Advanced Virtualization, Container Native Virtualization, Enterprise Linux and 4 more 2024-09-13 7.8 High
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.
CVE-2023-45857 2 Axios, Redhat 6 Axios, Ansible Automation Platform, Container Native Virtualization and 3 more 2024-09-04 6.5 Medium
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
CVE-2024-28180 1 Redhat 11 Advanced Cluster Security, Container Native Virtualization, Enterprise Linux and 8 more 2024-08-28 4.3 Medium
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
CVE-2023-45288 1 Redhat 27 Acm, Advanced Cluster Security, Ansible Automation Platform and 24 more 2024-08-26 7.5 High
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
CVE-2024-31419 1 Redhat 1 Container Native Virtualization 2024-08-20 4.3 Medium
An information disclosure flaw was found in OpenShift Virtualization. The DownwardMetrics feature was introduced to expose host metrics to virtual machine guests and is enabled by default. This issue could expose limited host metrics of a node to any guest in any namespace without being explicitly enabled by an administrator.
CVE-2023-44487 32 Akka, Amazon, Apache and 29 more 364 Http Server, Opensearch Data Prepper, Apisix and 361 more 2024-08-19 7.5 High
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2020-29652 2 Golang, Redhat 4 Ssh, Container Native Virtualization, Enterprise Linux and 1 more 2024-08-04 7.5 High
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
CVE-2020-28362 4 Fedoraproject, Golang, Netapp and 1 more 12 Fedora, Go, Cloud Insights Telegraf Agent and 9 more 2024-08-04 7.5 High
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
CVE-2020-27813 3 Debian, Gorillatoolkit, Redhat 4 Debian Linux, Websocket, Container Native Virtualization and 1 more 2024-08-04 7.5 High
An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections.
CVE-2020-26160 2 Jwt-go Project, Redhat 6 Jwt-go, Container Native Virtualization, Cryostat and 3 more 2024-08-04 7.5 High
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
CVE-2020-16845 5 Debian, Fedoraproject, Golang and 2 more 13 Debian Linux, Fedora, Go and 10 more 2024-08-04 7.5 High
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
CVE-2020-15586 6 Cloudfoundry, Debian, Fedoraproject and 3 more 15 Cf-deployment, Routing-release, Debian Linux and 12 more 2024-08-04 5.9 Medium
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
CVE-2020-14316 2 Kubevirt, Redhat 3 Kubevirt, Container Native Virtualization, Openshift Virtualization 2024-08-04 9.9 Critical
A flaw was found in kubevirt 0.29 and earlier. Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-14040 3 Fedoraproject, Golang, Redhat 16 Fedora, Text, 3scale Amp and 13 more 2024-08-04 7.5 High
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
CVE-2020-10749 3 Fedoraproject, Linuxfoundation, Redhat 7 Fedora, Cni Network Plugins, Container Native Virtualization and 4 more 2024-08-04 6 Medium
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.