Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): OpenShift
- Search Type: Search All
- CPE Name Search: false
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2020-1706 |
It has been found that in openshift-enterprise version 3.11 and openshift-enterprise versions 4.1 up to, including 4.3, multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/apb-tools-container. Published: March 09, 2020; 12:15:12 PM -0400 |
V3.1: 7.0 HIGH V2.0: 4.4 MEDIUM |
CVE-2020-1731 |
A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. Published: March 02, 2020; 12:15:19 PM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2020-1704 |
An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. Published: February 17, 2020; 12:15:14 PM -0500 |
V3.1: 7.8 HIGH V2.0: 4.6 MEDIUM |
CVE-2014-0234 |
The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which allows remote attackers to hijack the broker by providing this password, related to the openshift.sh script in Openshift Extras before 20130920. NOTE: this may overlap CVE-2013-4253 and CVE-2013-4281. Published: February 11, 2020; 8:15:10 PM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2020-1708 |
It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb. Published: February 07, 2020; 4:15:10 PM -0500 |
V3.1: 7.0 HIGH V2.0: 4.4 MEDIUM |
CVE-2013-2060 |
The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters in the URL of a request to download a cart. Published: January 28, 2020; 11:15:11 AM -0500 |
V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2019-14819 |
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints. Published: January 07, 2020; 1:15:10 PM -0500 |
V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2019-14854 |
OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user. Published: January 07, 2020; 12:15:11 PM -0500 |
V3.1: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2013-0196 |
A CSRF issue was found in OpenShift Enterprise 1.2. The web console is using 'Basic authentication' and the REST API has no CSRF attack protection mechanism. This can allow an attacker to obtain the credential and the Authorization: header when requesting the REST API via web browser. Published: December 30, 2019; 5:15:11 PM -0500 |
V3.1: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2014-0163 |
Openshift has shell command injection flaws due to unsanitized data being passed into shell commands. Published: December 11, 2019; 11:15:10 AM -0500 |
V3.1: 8.8 HIGH V2.0: 9.0 HIGH |
CVE-2013-0163 |
OpenShift haproxy cartridge: predictable /tmp in set-proxy connection hook which could facilitate DoS Published: December 05, 2019; 10:15:11 AM -0500 |
V3.1: 5.5 MEDIUM V2.0: 2.1 LOW |
CVE-2013-2103 |
OpenShift cartridge allows remote URL retrieval Published: December 03, 2019; 9:15:09 AM -0500 |
V3.1: 8.1 HIGH V2.0: 5.5 MEDIUM |
CVE-2019-10213 |
OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user. Published: November 25, 2019; 10:15:27 AM -0500 |
V3.1: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2019-10214 |
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. Published: November 25, 2019; 6:15:11 AM -0500 |
V3.1: 5.9 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2014-0084 |
Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly. Published: November 21, 2019; 10:15:11 AM -0500 |
V3.1: 5.5 MEDIUM V2.0: 2.1 LOW |
CVE-2014-0023 |
OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution Published: November 15, 2019; 10:15:11 AM -0500 |
V3.1: 7.8 HIGH V2.0: 4.6 MEDIUM |
CVE-2014-3592 |
OpenShift Origin: Improperly validated team names could allow stored XSS attacks Published: November 13, 2019; 11:15:10 AM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2013-0165 |
cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in OpenShift does not properly create files in /tmp. Published: November 01, 2019; 3:15:10 PM -0400 |
V3.1: 7.3 HIGH V2.0: 7.5 HIGH |
CVE-2019-14845 |
A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content. Published: October 08, 2019; 3:15:10 PM -0400 |
V3.1: 5.3 MEDIUM V2.0: 2.9 LOW |
CVE-2019-6648 |
On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by an AS3 Declaration. Published: September 04, 2019; 12:15:11 PM -0400 |
V3.1: 4.4 MEDIUM V2.0: 1.9 LOW |