Filtered by vendor Redhat
Subscriptions
Filtered by product Acm
Subscriptions
Total
198 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-24786 | 2 Golang, Redhat | 24 Go, Acm, Ceph Storage and 21 more | 2026-04-15 | 7.5 High |
| The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | ||||
| CVE-2025-11065 | 1 Redhat | 13 Acm, Advanced Cluster Security, Certifications and 10 more | 2026-04-15 | 5.3 Medium |
| A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts. | ||||
| CVE-2024-45338 | 1 Redhat | 27 Acm, Advanced Cluster Security, Ceph Storage and 24 more | 2026-04-15 | 5.3 Medium |
| An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | ||||
| CVE-2024-45336 | 1 Redhat | 8 Acm, Ceph Storage, Enterprise Linux and 5 more | 2026-04-15 | 6.1 Medium |
| The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. | ||||
| CVE-2024-9779 | 1 Redhat | 1 Acm | 2026-04-15 | 7.5 High |
| A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster. | ||||
| CVE-2023-45288 | 3 Go Standard Library, Golang, Redhat | 33 Net\/http, Http2, Acm and 30 more | 2026-04-15 | 7.5 High |
| An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. | ||||
| CVE-2024-45813 | 1 Redhat | 3 Acm, Multicluster Engine, Openshift Devspaces | 2026-04-15 | 5.3 Medium |
| find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue. | ||||
| CVE-2022-0778 | 8 Debian, Fedoraproject, Mariadb and 5 more | 25 Debian Linux, Fedora, Mariadb and 22 more | 2026-04-14 | 7.5 High |
| The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). | ||||
| CVE-2022-24450 | 3 Linuxfoundation, Nats, Redhat | 3 Nats-server, Nats Streaming Server, Acm | 2026-03-30 | 8.8 High |
| NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature. | ||||
| CVE-2022-32148 | 2 Golang, Redhat | 19 Go, Acm, Application Interconnect and 16 more | 2026-03-06 | 6.5 Medium |
| Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. | ||||
| CVE-2022-30629 | 2 Golang, Redhat | 15 Go, Acm, Ceph Storage and 12 more | 2026-03-06 | 3.1 Low |
| Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. | ||||
| CVE-2022-1962 | 2 Golang, Redhat | 16 Go, Acm, Application Interconnect and 13 more | 2026-03-06 | 5.5 Medium |
| Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. | ||||
| CVE-2022-30635 | 2 Golang, Redhat | 15 Go, Acm, Ceph Storage and 12 more | 2026-03-06 | 7.5 High |
| Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | ||||
| CVE-2022-30633 | 2 Golang, Redhat | 14 Go, Acm, Application Interconnect and 11 more | 2026-03-06 | 7.5 High |
| Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. | ||||
| CVE-2022-30630 | 2 Golang, Redhat | 17 Go, Acm, Application Interconnect and 14 more | 2026-03-06 | 7.5 High |
| Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | ||||
| CVE-2022-1705 | 2 Golang, Redhat | 22 Go, Acm, Application Interconnect and 19 more | 2026-03-06 | 6.5 Medium |
| Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. | ||||
| CVE-2022-0536 | 2 Follow-redirects Project, Redhat | 7 Follow-redirects, Acm, Openshift Data Foundation and 4 more | 2026-02-24 | 2.6 Low |
| Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8. | ||||
| CVE-2025-14874 | 2 Nodemailer, Redhat | 6 Nodemailer, Acm, Advanced Cluster Management For Kubernetes and 3 more | 2026-01-08 | 7.5 High |
| A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | ||||
| CVE-2023-37466 | 2 Redhat, Vm2 Project | 3 Acm, Multicluster Engine, Vm2 | 2026-01-05 | 9.8 Critical |
| vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue. | ||||
| CVE-2024-4068 | 3 Jonschlinkert, Micromatch, Redhat | 8 Braces, Braces, Acm and 5 more | 2025-12-31 | 7.5 High |
| The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. | ||||