Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift Container Platform
Subscriptions
Total
241 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-10354 | 2 Jenkins, Redhat | 3 Jenkins, Openshift, Openshift Container Platform | 2024-11-21 | 4.3 Medium |
| A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. | ||||
| CVE-2019-10225 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | 6.3 Medium |
| A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files. | ||||
| CVE-2019-10223 | 3 Kubernetes, Linux, Redhat | 3 Kube-state-metrics, Linux Kernel, Openshift Container Platform | 2024-11-21 | 6.5 Medium |
| A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release as soon as possible. | ||||
| CVE-2019-10214 | 5 Buildah Project, Libpod Project, Opensuse and 2 more | 7 Buildah, Libpod, Leap and 4 more | 2024-11-21 | 5.9 Medium |
| The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. | ||||
| CVE-2019-10213 | 1 Redhat | 3 Enterprise Linux, Openshift, Openshift Container Platform | 2024-11-21 | 6.5 Medium |
| OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user. | ||||
| CVE-2019-10200 | 1 Redhat | 1 Openshift Container Platform | 2024-11-21 | 7.2 High |
| A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high. | ||||
| CVE-2019-10176 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | N/A |
| A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack. | ||||
| CVE-2019-10165 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | 2.3 Low |
| OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources. | ||||
| CVE-2019-10150 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | N/A |
| It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output. | ||||
| CVE-2019-1010238 | 6 Canonical, Debian, Fedoraproject and 3 more | 14 Ubuntu Linux, Debian Linux, Fedora and 11 more | 2024-11-21 | 9.8 Critical |
| Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. | ||||
| CVE-2019-1003050 | 3 Jenkins, Oracle, Redhat | 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more | 2024-11-21 | 5.4 Medium |
| The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. | ||||
| CVE-2019-1003049 | 3 Jenkins, Oracle, Redhat | 4 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift and 1 more | 2024-11-21 | 8.1 High |
| Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. | ||||
| CVE-2019-1003041 | 2 Jenkins, Redhat | 3 Pipeline\, Openshift, Openshift Container Platform | 2024-11-21 | 9.8 Critical |
| A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. | ||||
| CVE-2019-1003040 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-11-21 | 9.8 Critical |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. | ||||
| CVE-2019-1003034 | 2 Jenkins, Redhat | 3 Job Dsl, Openshift, Openshift Container Platform | 2024-11-21 | 9.9 Critical |
| A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM. | ||||
| CVE-2019-1003031 | 2 Jenkins, Redhat | 3 Matrix Project, Openshift, Openshift Container Platform | 2024-11-21 | 9.9 Critical |
| A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. | ||||
| CVE-2019-1003024 | 2 Jenkins, Redhat | 3 Script Security, Openshift, Openshift Container Platform | 2024-11-21 | 8.8 High |
| A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | ||||
| CVE-2019-1003014 | 2 Jenkins, Redhat | 3 Config File Provider, Openshift, Openshift Container Platform | 2024-11-21 | N/A |
| An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file. | ||||
| CVE-2019-1003013 | 2 Jenkins, Redhat | 3 Blue Ocean, Openshift, Openshift Container Platform | 2024-11-21 | N/A |
| An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. | ||||
| CVE-2019-1003012 | 2 Jenkins, Redhat | 3 Blue Ocean, Openshift, Openshift Container Platform | 2024-11-21 | N/A |
| A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. | ||||