Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Openshift
(Redhat)| Repositories |
• https://github.com/openshift/origin-server
• https://github.com/opencontainers/runc • https://github.com/jenkinsci/jenkins • https://github.com/libarchive/libarchive • https://github.com/php/php-src |
| #Vulnerabilities | 140 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-03-20 | CVE-2020-1707 | A vulnerability was found in all openshift/postgresql-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/postgresql-apb. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. | Openshift | 7.0 | ||
| 2020-03-20 | CVE-2020-1709 | A vulnerability was found in all openshift/mediawiki 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the openshift/mediawiki. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. | Openshift | 7.8 | ||
| 2022-04-11 | CVE-2021-4047 | The release of OpenShift 4.9.6 included four CVE fixes for the haproxy package, however the patch for CVE-2021-39242 was missing. This issue only affects Red Hat OpenShift 4.9. | Openshift | 7.5 | ||
| 2022-09-01 | CVE-2022-2403 | A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate. | Openshift | 6.5 | ||
| 2022-12-09 | CVE-2022-3259 | Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks. | Openshift | 7.4 | ||
| 2023-01-17 | CVE-2023-0296 | The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy, hence this port might be considered as still vulnerable to the same type of vulnerability. The health checks on etcd grpc-proxy do not contain sensitive data (only... | Openshift | 5.3 | ||
| 2023-01-26 | CVE-2023-0229 | A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default," allowing users to disable seccomp for pods they can create and modify. | Openshift | 6.3 | ||
| 2022-12-08 | CVE-2022-3260 | The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack.. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. | Openshift | 4.8 | ||
| 2022-12-08 | CVE-2022-3262 | A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability. | Openshift | 8.1 | ||
| 2022-10-19 | CVE-2013-4253 | The deployment script in the unsupported "OpenShift Extras" set of add-on scripts, in Red Hat Openshift 1, installs a default public key in the root user's authorized_keys file. | Openshift | 7.5 |