Openshift
by Red Hat
Source repositories
CVEs (144)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-0789 | Med | 0.33 | 6.1 | 0.02 | Apr 7, 2016 | CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | ||
| CVE-2017-15137 | Med | 0.28 | 4.3 | 0.01 | Jul 16, 2018 | The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed. | ||
| CVE-2016-9592 | Med | 0.28 | 4.3 | 0.01 | Apr 16, 2018 | openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable to a flaw when a volume fails to detach, which causes the delete operation to fail with 'VolumeInUse' error. Since the delete operation is retried every 30 seconds for each volume, this could lead to a denial of… | ||
| CVE-2016-3725 | Med | 0.28 | 4.3 | 0.02 | May 17, 2016 | Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption). | ||
| CVE-2016-3723 | Med | 0.28 | 4.3 | 0.02 | May 17, 2016 | Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints. | ||
| CVE-2016-3722 | Med | 0.28 | 4.3 | 0.02 | May 17, 2016 | Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name." | ||
| CVE-2016-3721 | Med | 0.28 | 4.3 | 0.02 | May 17, 2016 | Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables. | ||
| CVE-2015-7528 | Med | 0.28 | 5.3 | 0.02 | Apr 11, 2016 | Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name. | ||
| CVE-2015-0238 | Low | 0.21 | 3.3 | 0.00 | Sep 26, 2017 | selinux-policy as packaged in Red Hat OpenShift 2 allows attackers to obtain process listing information via a privilege escalation attack. | ||
| CVE-2016-3711 | Low | 0.21 | 3.3 | 0.00 | Jun 8, 2016 | HAproxy in Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allows local users to obtain the internal IP address of a pod by reading the "OPENSHIFT_[namespace]_SERVERID" cookie. | ||
| CVE-2016-3727 | Med | 0.21 | 4.3 | 0.02 | May 17, 2016 | The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors. | ||
| CVE-2016-8651 | Low | 0.20 | 3.1 | 0.01 | Aug 1, 2018 | An input validation flaw was found in the way OpenShift 3 handles requests for images. A user, with a copy of the manifest associated with an image, can pull an image even if they do not have access to the image normally, resulting in the disclosure of any information contained… | ||
| CVE-2015-7561 | Low | 0.13 | 3.1 | 0.01 | Aug 7, 2017 | Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image. | ||
| CVE-2013-2060 | 0.02 | — | 0.06 | Jan 28, 2020 | The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters in the URL of a request to download a cart. | |||
| CVE-2024-9453 | 0.00 | — | 0.00 | Jul 4, 2025 | A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the… | |||
| CVE-2024-7079 | 0.00 | — | 0.00 | Jul 24, 2024 | A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to… | |||
| CVE-2023-5408 | 0.00 | — | 0.01 | Nov 2, 2023 | A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader… | |||
| CVE-2022-4145 | 0.00 | — | 0.01 | Oct 5, 2023 | A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation. | |||
| CVE-2023-3089 | 0.00 | — | 0.00 | Jul 5, 2023 | A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. | |||
| CVE-2023-0056 | 0.00 | — | 0.02 | Mar 23, 2023 | An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. |
- risk 0.33cvss 6.1epss 0.02
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
- risk 0.28cvss 4.3epss 0.01
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
- risk 0.28cvss 4.3epss 0.01
openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable to a flaw when a volume fails to detach, which causes the delete operation to fail with 'VolumeInUse' error. Since the delete operation is retried every 30 seconds for each volume, this could lead to a denial of…
- risk 0.28cvss 4.3epss 0.02
Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).
- risk 0.28cvss 4.3epss 0.02
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.
- risk 0.28cvss 4.3epss 0.02
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."
- risk 0.28cvss 4.3epss 0.02
Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.
- risk 0.28cvss 5.3epss 0.02
Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.
- risk 0.21cvss 3.3epss 0.00
selinux-policy as packaged in Red Hat OpenShift 2 allows attackers to obtain process listing information via a privilege escalation attack.
- risk 0.21cvss 3.3epss 0.00
HAproxy in Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allows local users to obtain the internal IP address of a pod by reading the "OPENSHIFT_[namespace]_SERVERID" cookie.
- risk 0.21cvss 4.3epss 0.02
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
- risk 0.20cvss 3.1epss 0.01
An input validation flaw was found in the way OpenShift 3 handles requests for images. A user, with a copy of the manifest associated with an image, can pull an image even if they do not have access to the image normally, resulting in the disclosure of any information contained…
- risk 0.13cvss 3.1epss 0.01
Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.
- CVE-2013-2060Jan 28, 2020risk 0.02cvss —epss 0.06
The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters in the URL of a request to download a cart.
- CVE-2024-9453Jul 4, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the…
- CVE-2024-7079Jul 24, 2024risk 0.00cvss —epss 0.00
A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to…
- CVE-2023-5408Nov 2, 2023risk 0.00cvss —epss 0.01
A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader…
- CVE-2022-4145Oct 5, 2023risk 0.00cvss —epss 0.01
A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.
- CVE-2023-3089Jul 5, 2023risk 0.00cvss —epss 0.00
A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
- CVE-2023-0056Mar 23, 2023risk 0.00cvss —epss 0.02
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
Page 3 of 8