U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): OpenShift
  • Search Type: Search All
  • CPE Name Search: false
There are 145 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2023-0229

A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default," allowing users to disable seccomp for pods they can create and modify.

Published: January 26, 2023; 4:18:06 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2021-4294

A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216987.

Published: December 28, 2022; 12:15:09 PM -0500
V3.1: 5.9 MEDIUM
V2.0:(not available)
CVE-2022-3259

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.

Published: December 09, 2022; 1:15:19 PM -0500
V3.1: 7.4 HIGH
V2.0:(not available)
CVE-2022-3262

A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability.

Published: December 08, 2022; 11:15:13 AM -0500
V3.1: 8.1 HIGH
V2.0:(not available)
CVE-2013-4281

In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could allow users with local access to the broker to read this file.

Published: October 19, 2022; 2:15:11 PM -0400
V3.1: 5.5 MEDIUM
V2.0:(not available)
CVE-2013-4253

The deployment script in the unsupported "OpenShift Extras" set of add-on scripts, in Red Hat Openshift 1, installs a default public key in the root user's authorized_keys file.

Published: October 19, 2022; 2:15:11 PM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2017-7517

An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift. If a user creates a project called "MyProject", and then later deletes it another user can then create a project called "MyProject" and access the metrics stored from the original "MyProject" instance.

Published: October 17, 2022; 12:15:14 PM -0400
V3.1: 3.5 LOW
V2.0:(not available)
CVE-2022-2403

A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.

Published: September 01, 2022; 5:15:09 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-1677

In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application within the cluster, including one under attacker control.

Published: September 01, 2022; 5:15:09 PM -0400
V3.1: 6.3 MEDIUM
V2.0:(not available)
CVE-2022-1632

An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.

Published: September 01, 2022; 5:15:08 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2021-4125

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.

Published: August 24, 2022; 12:15:09 PM -0400
V3.1: 8.1 HIGH
V2.0:(not available)
CVE-2021-3442

A flaw was found in the Red Hat OpenShift API Management product. User input is not validated allowing an authenticated user to inject scripts into some text boxes leading to a XSS attack. The highest threat from this vulnerability is to data confidentiality.

Published: August 22, 2022; 11:15:13 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2020-27836

A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability..

Published: August 22, 2022; 11:15:12 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2022-36909

A missing permission check in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload a SSH key file from the Jenkins controller file system to an attacker-specified URL.

Published: July 27, 2022; 11:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-36908

A cross-site request forgery (CSRF) vulnerability in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload a SSH key file from the Jenkins controller file system to an attacker-specified URL.

Published: July 27, 2022; 11:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-36907

A missing permission check in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Published: July 27, 2022; 11:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-36906

A cross-site request forgery (CSRF) vulnerability in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

Published: July 27, 2022; 11:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2015-3207

In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes.

Published: July 07, 2022; 9:15:08 AM -0400
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2014-0068

It was reported that watchman in openshift node-utils creates /var/run/watchman.pid and /var/log/watchman.ouput with world writable permission.

Published: June 30, 2022; 5:15:10 PM -0400
V3.1: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2013-4561

In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file. This may lead to loss of confidentiality and integrity.

Published: June 30, 2022; 3:15:08 PM -0400
V3.1: 9.1 CRITICAL
V2.0: 6.4 MEDIUM