Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Openshift_container_platform
(Redhat)| Repositories |
• https://github.com/FasterXML/jackson-databind
• https://github.com/torvalds/linux • https://github.com/Perl/perl5 • https://github.com/evanphx/json-patch • https://github.com/ansible/ansible |
| #Vulnerabilities | 237 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-02-11 | CVE-2020-1726 | A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.This issue was introduced in version 1.6.0. | Libpod, Enterprise_linux, Openshift_container_platform | 5.9 | ||
| 2020-02-12 | CVE-2020-8945 | The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification. | Fedora, Gpgme, Enterprise_linux_for_ibm_z_systems, Enterprise_linux_for_power_little_endian, Enterprise_linux_server, Enterprise_linux_workstation, Openshift_container_platform, Openshift_container_platform_for_ibm_z, Openshift_container_platform_for_linuxone | 7.5 | ||
| 2020-03-09 | CVE-2020-1706 | It has been found that in openshift-enterprise version 3.11 and openshift-enterprise versions 4.1 up to, including 4.3, multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/apb-tools-container. | Openshift_container_platform | 7.0 | ||
| 2020-03-31 | CVE-2020-1712 | A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. | Debian_linux, Ceph_storage, Discovery, Enterprise_linux, Migration_toolkit, Openshift_container_platform, Systemd | 7.8 | ||
| 2020-04-23 | CVE-2020-1760 | A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. | Ubuntu_linux, Debian_linux, Fedora, Ceph, Ceph_storage, Openshift_container_platform | 6.1 | ||
| 2020-04-24 | CVE-2020-1741 | A flaw was found in openshift-ansible. OpenShift Container Platform (OCP) 3.11 is too permissive in the way it specified CORS allowed origins during installation. An attacker, able to man-in-the-middle the connection between the user's browser and the openshift console, could use this flaw to perform a phishing attack. The main threat from this vulnerability is data confidentiality. | Openshift_container_platform | 5.9 | ||
| 2020-06-03 | CVE-2020-7013 | Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system. | Kibana, Openshift_container_platform | 7.2 | ||
| 2020-07-13 | CVE-2020-14298 | The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the container host and other containers running on the same host. This issue only affects docker version 1.13.1-108.git4ef4b30.el7, shipped in Red Hat Enterprise Linux 7 Extras. Both earlier and later... | Docker, Enterprise_linux_server, Openshift_container_platform | 8.8 | ||
| 2020-07-29 | CVE-2020-15705 | GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions. | Ubuntu_linux, Debian_linux, Grub2, Windows_10, Windows_8\.1, Windows_rt_8\.1, Windows_server_2012, Windows_server_2016, Windows_server_2019, Leap, Enterprise_linux, Enterprise_linux_atomic_host, Openshift_container_platform, Suse_linux_enterprise_server | 6.4 | ||
| 2020-07-29 | CVE-2020-15706 | GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. This issue affects GRUB2 version 2.04 and prior versions. | Ubuntu_linux, Debian_linux, Grub2, Windows_10, Windows_8\.1, Windows_rt_8\.1, Windows_server_2012, Windows_server_2016, Windows_server_2019, Leap, Enterprise_linux, Enterprise_linux_atomic_host, Openshift_container_platform, Suse_linux_enterprise_server | 6.4 |