Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift
Subscriptions
Total
1044 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-29824 | 2 Redhat, Scipy | 2 Openshift, Scipy | 2024-11-21 | 9.8 Critical |
| A use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0. NOTE: the vendor and discoverer indicate that this is not a security issue. | ||||
| CVE-2023-29483 | 1 Redhat | 4 Ansible Automation Platform, Enterprise Linux, Openshift and 1 more | 2024-11-21 | 7.0 High |
| eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. | ||||
| CVE-2023-27540 | 2 Ibm, Redhat | 3 Cloud Pak For Data, Watson Cp4d Data Stores, Openshift | 2024-11-21 | 5.9 Medium |
| IBM Watson CP4D Data Stores 4.6.0 does not properly allocate resources without limits or throttling which could allow a remote attacker with information specific to the system to cause a denial of service. IBM X-Force ID: 248924. | ||||
| CVE-2023-24422 | 2 Jenkins, Redhat | 3 Script Security, Ocp Tools, Openshift | 2024-11-21 | 8.8 High |
| A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2023-23468 | 2 Ibm, Redhat | 2 Robotic Process Automation, Openshift | 2024-11-21 | 5.1 Medium |
| IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.7.3 and 23.0.0 through 23.0.3 is vulnerable to insufficient security configuration which may allow creation of namespaces within a cluster. IBM X-Force ID: 244500. | ||||
| CVE-2023-22863 | 3 Ibm, Microsoft, Redhat | 5 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak and 2 more | 2024-11-21 | 5.9 Medium |
| IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 244109. | ||||
| CVE-2023-22594 | 3 Ibm, Microsoft, Redhat | 5 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak and 2 more | 2024-11-21 | 4.6 Medium |
| IBM Robotic Process Automation for Cloud Pak 20.12.0 through 21.0.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244075. | ||||
| CVE-2023-22593 | 2 Ibm, Redhat | 2 Robotic Process Automation, Openshift | 2024-11-21 | 4 Medium |
| IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.7.3 and 23.0.0 through 23.0.3 is vulnerable to security misconfiguration of the Redis container which may provide elevated privileges. IBM X-Force ID: 244074. | ||||
| CVE-2023-22592 | 2 Ibm, Redhat | 2 Robotic Process Automation For Cloud Pak, Openshift | 2024-11-21 | 4 Medium |
| IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.4 could allow a local user to perform unauthorized actions due to insufficient permission settings. IBM X-Force ID: 244073. | ||||
| CVE-2023-1260 | 2 Kubernetes, Redhat | 4 Kube-apiserver, Openshift, Openshift Container Platform and 1 more | 2024-11-21 | 8 High |
| An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralcontainers" subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod. | ||||
| CVE-2023-0296 | 1 Redhat | 1 Openshift | 2024-11-21 | 5.3 Medium |
| The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy, hence this port might be considered as still vulnerable to the same type of vulnerability. The health checks on etcd grpc-proxy do not contain sensitive data (only metrics data), therefore the potential impact related to this vulnerability is minimal. The CVE-2023-0296 has been assigned to this issue to track the permanent fix in the etcd component. | ||||
| CVE-2023-0229 | 1 Redhat | 1 Openshift | 2024-11-21 | 6.3 Medium |
| A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default," allowing users to disable seccomp for pods they can create and modify. | ||||
| CVE-2022-4318 | 3 Fedoraproject, Kubernetes, Redhat | 9 Extra Packages For Enterprise Linux, Fedora, Cri-o and 6 more | 2024-11-21 | 7.8 High |
| A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable. | ||||
| CVE-2022-4145 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | 4.3 Medium |
| A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation. | ||||
| CVE-2022-46174 | 2 Amazon, Redhat | 3 Efs-utils, Elastic File System Container Storage Interface Driver, Openshift | 2024-11-21 | 4.2 Medium |
| efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel. In affected versions, concurrent mount operations can allocate the same local port, leading to either failed mount operations or an inappropriate mapping from an EFS customer’s local mount points to that customer’s EFS file systems. This issue is patched in version v1.34.4. There is no recommended work around. We recommend affected users update the installed version of efs-utils to v1.34.4 or later. | ||||
| CVE-2022-46149 | 3 Capnproto, Fedoraproject, Redhat | 4 Capnp, Capnproto, Fedora and 1 more | 2024-11-21 | 5.4 Medium |
| Cap'n Proto is a data interchange format and remote procedure call (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap'n Proto's Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap'n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2. | ||||
| CVE-2022-46146 | 2 Prometheus, Redhat | 2 Exporter Toolkit, Openshift | 2024-11-21 | 6.2 Medium |
| Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. | ||||
| CVE-2022-45381 | 2 Jenkins, Redhat | 2 Pipeline Utility Steps, Openshift | 2024-11-21 | 8.1 High |
| Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system. | ||||
| CVE-2022-45380 | 2 Jenkins, Redhat | 2 Junit, Openshift | 2024-11-21 | 5.4 Medium |
| Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | ||||
| CVE-2022-45379 | 2 Jenkins, Redhat | 2 Script Security, Openshift | 2024-11-21 | 7.5 High |
| Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks. | ||||