Openshift
by Red Hat
Source repositories
CVEs (144)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-10715 | 0.00 | — | 0.01 | Sep 16, 2020 | A content spoofing vulnerability was found in the openshift/console 3.11 and 4.x. This flaw allows an attacker to craft a URL and inject arbitrary text onto the error page that appears to be from the OpenShift instance. This attack could potentially convince a user that the… | |||
| CVE-2020-10706 | 0.00 | — | 0.00 | May 12, 2020 | A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into… | |||
| CVE-2020-1741 | 0.00 | — | 0.01 | Apr 24, 2020 | A flaw was found in openshift-ansible. OpenShift Container Platform (OCP) 3.11 is too permissive in the way it specified CORS allowed origins during installation. An attacker, able to man-in-the-middle the connection between the user's browser and the openshift console, could… | |||
| CVE-2019-19346 | 0.00 | — | 0.00 | Apr 2, 2020 | An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mariadb-apb, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4 . An attacker with access to the container could use this flaw to modify /etc/passwd and… | |||
| CVE-2019-19345 | 0.00 | — | 0.00 | Mar 20, 2020 | A vulnerability was found in all openshift/mediawiki-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mediawiki-apb. An attacker with access to the container could use this flaw to modify… | |||
| CVE-2020-1709 | 0.00 | — | 0.00 | Mar 20, 2020 | A vulnerability was found in all openshift/mediawiki 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the openshift/mediawiki. An attacker with access to the container could use this flaw to modify /etc/passwd and… | |||
| CVE-2019-19355 | 0.00 | — | 0.00 | Mar 18, 2020 | An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the… | |||
| CVE-2019-19351 | 0.00 | — | 0.00 | Mar 18, 2020 | An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the… | |||
| CVE-2019-19335 | 0.00 | — | 0.00 | Mar 18, 2020 | During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin-password` files. Both files contain credentials used to authenticate to the OpenShift API server, and are incorrectly assigned… | |||
| CVE-2019-14819 | 0.00 | — | 0.01 | Jan 7, 2020 | A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges… | |||
| CVE-2014-0163 | 0.00 | — | 0.02 | Dec 11, 2019 | Openshift has shell command injection flaws due to unsanitized data being passed into shell commands. | |||
| CVE-2013-2103 | 0.00 | — | 0.01 | Dec 3, 2019 | OpenShift cartridge allows remote URL retrieval | |||
| CVE-2019-10213 | 0.00 | — | 0.01 | Nov 25, 2019 | OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been… | |||
| CVE-2014-0023 | 0.00 | — | 0.00 | Nov 15, 2019 | OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution | |||
| CVE-2014-3592 | 0.00 | — | 0.01 | Nov 13, 2019 | OpenShift Origin: Improperly validated team names could allow stored XSS attacks | |||
| CVE-2013-0165 | 0.00 | — | 0.01 | Nov 1, 2019 | cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in OpenShift does not properly create files in /tmp. | |||
| CVE-2019-14845 | 0.00 | — | 0.00 | Oct 8, 2019 | A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content. | |||
| CVE-2019-10176 | 0.00 | — | 0.01 | Aug 2, 2019 | A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use… | |||
| CVE-2019-3884 | 0.00 | — | 0.01 | Aug 1, 2019 | A vulnerability exists in the garbage collection mechanism of atomic-openshift. An attacker able spoof the UUID of a valid object from another namespace is able to delete children of those objects. Versions 3.6, 3.7, 3.8, 3.9, 3.10, 3.11 and 4.1 are affected. | |||
| CVE-2019-10165 | 0.00 | — | 0.00 | Jul 30, 2019 | OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources. |
- CVE-2020-10715Sep 16, 2020risk 0.00cvss —epss 0.01
A content spoofing vulnerability was found in the openshift/console 3.11 and 4.x. This flaw allows an attacker to craft a URL and inject arbitrary text onto the error page that appears to be from the OpenShift instance. This attack could potentially convince a user that the…
- CVE-2020-10706May 12, 2020risk 0.00cvss —epss 0.00
A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into…
- CVE-2020-1741Apr 24, 2020risk 0.00cvss —epss 0.01
A flaw was found in openshift-ansible. OpenShift Container Platform (OCP) 3.11 is too permissive in the way it specified CORS allowed origins during installation. An attacker, able to man-in-the-middle the connection between the user's browser and the openshift console, could…
- CVE-2019-19346Apr 2, 2020risk 0.00cvss —epss 0.00
An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mariadb-apb, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4 . An attacker with access to the container could use this flaw to modify /etc/passwd and…
- CVE-2019-19345Mar 20, 2020risk 0.00cvss —epss 0.00
A vulnerability was found in all openshift/mediawiki-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mediawiki-apb. An attacker with access to the container could use this flaw to modify…
- CVE-2020-1709Mar 20, 2020risk 0.00cvss —epss 0.00
A vulnerability was found in all openshift/mediawiki 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the openshift/mediawiki. An attacker with access to the container could use this flaw to modify /etc/passwd and…
- CVE-2019-19355Mar 18, 2020risk 0.00cvss —epss 0.00
An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the…
- CVE-2019-19351Mar 18, 2020risk 0.00cvss —epss 0.00
An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the…
- CVE-2019-19335Mar 18, 2020risk 0.00cvss —epss 0.00
During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin-password` files. Both files contain credentials used to authenticate to the OpenShift API server, and are incorrectly assigned…
- CVE-2019-14819Jan 7, 2020risk 0.00cvss —epss 0.01
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges…
- CVE-2014-0163Dec 11, 2019risk 0.00cvss —epss 0.02
Openshift has shell command injection flaws due to unsanitized data being passed into shell commands.
- CVE-2013-2103Dec 3, 2019risk 0.00cvss —epss 0.01
OpenShift cartridge allows remote URL retrieval
- CVE-2019-10213Nov 25, 2019risk 0.00cvss —epss 0.01
OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been…
- CVE-2014-0023Nov 15, 2019risk 0.00cvss —epss 0.00
OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution
- CVE-2014-3592Nov 13, 2019risk 0.00cvss —epss 0.01
OpenShift Origin: Improperly validated team names could allow stored XSS attacks
- CVE-2013-0165Nov 1, 2019risk 0.00cvss —epss 0.01
cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in OpenShift does not properly create files in /tmp.
- CVE-2019-14845Oct 8, 2019risk 0.00cvss —epss 0.00
A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content.
- CVE-2019-10176Aug 2, 2019risk 0.00cvss —epss 0.01
A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use…
- CVE-2019-3884Aug 1, 2019risk 0.00cvss —epss 0.01
A vulnerability exists in the garbage collection mechanism of atomic-openshift. An attacker able spoof the UUID of a valid object from another namespace is able to delete children of those objects. Versions 3.6, 3.7, 3.8, 3.9, 3.10, 3.11 and 4.1 are affected.
- CVE-2019-10165Jul 30, 2019risk 0.00cvss —epss 0.00
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.
Page 5 of 8