Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift
Subscriptions
Total
1087 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-42889 | 4 Apache, Juniper, Netapp and 1 more | 21 Commons Text, Jsa1500, Jsa3500 and 18 more | 2024-11-21 | 9.8 Critical |
| Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | ||||
| CVE-2022-3466 | 2 Kubernetes, Redhat | 4 Cri-o, Openshift, Openshift Container Platform and 1 more | 2024-11-21 | 4.8 Medium |
| The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652. | ||||
| CVE-2022-3248 | 1 Redhat | 6 Acm, Advanced Cluster Management For Kubernetes, Ansible Automation Platform and 3 more | 2024-11-21 | 4.4 Medium |
| A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied. | ||||
| CVE-2022-36885 | 2 Jenkins, Redhat | 2 Github, Openshift | 2024-11-21 | 5.3 Medium |
| Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. | ||||
| CVE-2022-36884 | 2 Jenkins, Redhat | 2 Git, Openshift | 2024-11-21 | 5.3 Medium |
| The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. | ||||
| CVE-2022-36883 | 2 Jenkins, Redhat | 2 Git, Openshift | 2024-11-21 | 7.5 High |
| A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. | ||||
| CVE-2022-36882 | 2 Jenkins, Redhat | 2 Git, Openshift | 2024-11-21 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. | ||||
| CVE-2022-36881 | 2 Jenkins, Redhat | 2 Git Client, Openshift | 2024-11-21 | 8.1 High |
| Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. | ||||
| CVE-2022-34177 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-11-21 | 7.5 High |
| Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. | ||||
| CVE-2022-34176 | 2 Jenkins, Redhat | 2 Junit, Openshift | 2024-11-21 | 5.4 Medium |
| Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. | ||||
| CVE-2022-34174 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 7.5 High |
| In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. | ||||
| CVE-2022-32190 | 2 Golang, Redhat | 10 Go, Ceph Storage, Container Native Virtualization and 7 more | 2024-11-21 | 7.5 High |
| JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. | ||||
| CVE-2022-32189 | 2 Golang, Redhat | 13 Go, Ceph Storage, Container Native Virtualization and 10 more | 2024-11-21 | 7.5 High |
| A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. | ||||
| CVE-2022-32148 | 2 Golang, Redhat | 19 Go, Acm, Application Interconnect and 16 more | 2024-11-21 | 6.5 Medium |
| Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. | ||||
| CVE-2022-30954 | 2 Jenkins, Redhat | 3 Blue Ocean, Ocp Tools, Openshift | 2024-11-21 | 6.5 Medium |
| Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | ||||
| CVE-2022-30953 | 2 Jenkins, Redhat | 3 Blue Ocean, Ocp Tools, Openshift | 2024-11-21 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. | ||||
| CVE-2022-30952 | 2 Jenkins, Redhat | 3 Blue Ocean, Ocp Tools, Openshift | 2024-11-21 | 6.5 Medium |
| Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. | ||||
| CVE-2022-30948 | 2 Jenkins, Redhat | 2 Mercurial, Openshift | 2024-11-21 | 7.5 High |
| Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | ||||
| CVE-2022-30946 | 2 Jenkins, Redhat | 2 Script Security, Openshift | 2024-11-21 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver. | ||||
| CVE-2022-30945 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-11-21 | 8.5 High |
| Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. | ||||