Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift
Subscriptions
Total
1073 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-8564 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 4.7 Medium |
| In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13. | ||||
| CVE-2020-8563 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 4.7 Medium |
| In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3. | ||||
| CVE-2020-8559 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 6.4 Medium |
| The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. | ||||
| CVE-2020-8558 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 5.4 Medium |
| The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. | ||||
| CVE-2020-8557 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 5.5 Medium |
| The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail. | ||||
| CVE-2020-8555 | 3 Fedoraproject, Kubernetes, Redhat | 3 Fedora, Kubernetes, Openshift | 2024-11-21 | 6.3 Medium |
| The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services). | ||||
| CVE-2020-8554 | 3 Kubernetes, Oracle, Redhat | 5 Kubernetes, Communications Cloud Native Core Network Slice Selection Function, Communications Cloud Native Core Policy and 2 more | 2024-11-21 | 6.3 Medium |
| Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. | ||||
| CVE-2020-8552 | 3 Fedoraproject, Kubernetes, Redhat | 3 Fedora, Kubernetes, Openshift | 2024-11-21 | 5.3 Medium |
| The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. | ||||
| CVE-2020-8551 | 3 Fedoraproject, Kubernetes, Redhat | 3 Fedora, Kubernetes, Openshift | 2024-11-21 | 4.3 Medium |
| The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. | ||||
| CVE-2020-8203 | 3 Lodash, Oracle, Redhat | 24 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 21 more | 2024-11-21 | 7.4 High |
| Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | ||||
| CVE-2020-7774 | 4 Oracle, Redhat, Siemens and 1 more | 7 Graalvm, Enterprise Linux, Openshift and 4 more | 2024-11-21 | 7.3 High |
| The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | ||||
| CVE-2020-7692 | 2 Google, Redhat | 3 Oauth Client Library For Java, Ocp Tools, Openshift | 2024-11-21 | 7.4 High |
| PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0. | ||||
| CVE-2020-7662 | 2 Redhat, Websocket-extensions Project | 3 Openshift, Service Mesh, Websocket-extensions | 2024-11-21 | 7.5 High |
| websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. | ||||
| CVE-2020-7598 | 3 Opensuse, Redhat, Substack | 9 Leap, Enterprise Linux, Openshift and 6 more | 2024-11-21 | 5.6 Medium |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | ||||
| CVE-2020-7211 | 4 Libslirp Project, Microsoft, Qemu and 1 more | 4 Libslirp, Windows, Qemu and 1 more | 2024-11-21 | 7.5 High |
| tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. | ||||
| CVE-2020-7039 | 5 Debian, Libslirp Project, Opensuse and 2 more | 12 Debian Linux, Libslirp, Leap and 9 more | 2024-11-21 | 5.6 Medium |
| tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. | ||||
| CVE-2020-7015 | 2 Elastic, Redhat | 2 Kibana, Openshift | 2024-11-21 | 5.4 Medium |
| Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization. | ||||
| CVE-2020-7013 | 2 Elastic, Redhat | 3 Kibana, Openshift, Openshift Container Platform | 2024-11-21 | 7.2 High |
| Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system. | ||||
| CVE-2020-36189 | 5 Debian, Fasterxml, Netapp and 2 more | 42 Debian Linux, Jackson-databind, Cloud Backup and 39 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. | ||||
| CVE-2020-36188 | 5 Debian, Fasterxml, Netapp and 2 more | 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. | ||||