Vulnerabilities (CVE)

Filtered by vendor Redhat Subscribe
Filtered by product Openshift Container Platform
Total 225 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-1000864 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2024-02-04 4.0 MEDIUM 6.5 MEDIUM
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2019-0542 2 Redhat, Xtermjs 2 Openshift Container Platform, Xterm.js 2024-02-04 6.8 MEDIUM 8.8 HIGH
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.
CVE-2017-15138 1 Redhat 1 Openshift Container Platform 2024-02-04 4.0 MEDIUM 5.0 MEDIUM
The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens.
CVE-2019-1003024 2 Jenkins, Redhat 2 Script Security, Openshift Container Platform 2024-02-04 6.5 MEDIUM 8.8 HIGH
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2016-8651 1 Redhat 2 Openshift, Openshift Container Platform 2024-02-04 2.7 LOW 3.5 LOW
An input validation flaw was found in the way OpenShift 3 handles requests for images. A user, with a copy of the manifest associated with an image, can pull an image even if they do not have access to the image normally, resulting in the disclosure of any information contained within the image.
CVE-2019-1003002 2 Jenkins, Redhat 2 Pipeline\, Openshift Container Platform 2024-02-04 6.5 MEDIUM 8.8 HIGH
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-1003013 2 Jenkins, Redhat 2 Blue Ocean, Openshift Container Platform 2024-02-04 3.5 LOW 5.4 MEDIUM
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
CVE-2019-6974 5 Canonical, Debian, F5 and 2 more 24 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 21 more 2024-02-04 6.8 MEDIUM 8.1 HIGH
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.
CVE-2018-19475 4 Artifex, Canonical, Debian and 1 more 10 Ghostscript, Ubuntu Linux, Debian Linux and 7 more 2024-02-04 6.8 MEDIUM 7.8 HIGH
psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.
CVE-2017-15137 1 Redhat 2 Openshift, Openshift Container Platform 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
CVE-2018-12115 2 Nodejs, Redhat 2 Node.js, Openshift Container Platform 2024-02-04 5.0 MEDIUM 7.5 HIGH
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written.
CVE-2018-14721 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Banking Platform and 9 more 2024-02-04 7.5 HIGH 10.0 CRITICAL
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-18311 8 Apple, Canonical, Debian and 5 more 18 Mac Os X, Ubuntu Linux, Debian Linux and 15 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVE-2018-13988 4 Canonical, Debian, Freedesktop and 1 more 8 Ubuntu Linux, Debian Linux, Poppler and 5 more 2024-02-04 4.3 MEDIUM 6.5 MEDIUM
Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.
CVE-2018-19361 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Business Process Management Suite and 9 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVE-2018-14719 5 Debian, Fasterxml, Netapp and 2 more 21 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 18 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVE-2019-1003014 2 Jenkins, Redhat 2 Config File Provider, Openshift Container Platform 2024-02-04 3.5 LOW 4.8 MEDIUM
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.
CVE-2019-1003011 2 Jenkins, Redhat 2 Token Macro, Openshift Container Platform 2024-02-04 5.5 MEDIUM 8.1 HIGH
An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation.
CVE-2018-19360 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Business Process Management Suite and 9 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2018-1000861 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2024-02-04 10.0 HIGH 9.8 CRITICAL
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.