VYPR
Vendor

Openshift

Products
16
CVEs
41
Across products
41
Status
Private

Products

16

Recent CVEs

41
View all 41 CVEs →
  • CVE-2018-1085CriJun 15, 2018
    risk 0.59cvss 9.0epss 0.02

    openshift-ansible before versions 3.9.23, 3.7.46 deploys a misconfigured etcd file that causes the SSL client certificate authentication to be disabled. Quotations around the values of ETCD_CLIENT_CERT_AUTH and ETCD_PEER_CLIENT_CERT_AUTH in etcd.conf result in etcd being…

  • CVE-2024-45496CriSep 17, 2024
    risk 0.57cvss 9.9epss 0.01

    A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to…

  • CVE-2024-7387CriSep 17, 2024
    risk 0.52cvss 9.1epss 0.02

    A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the “Docker” strategy, executable files inside the…

  • CVE-2024-6508HigAug 21, 2024
    risk 0.52cvss 8.0epss 0.01

    An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows…

  • CVE-2024-25133HigDec 31, 2024
    risk 0.50cvss 8.8epss 0.00

    A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.

  • CVE-2024-25131HigDec 19, 2024
    risk 0.50cvss 8.8epss 0.01

    A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can…

  • CVE-2024-45497HigDec 31, 2024
    risk 0.49cvss 7.6epss 0.01

    A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from…

  • CVE-2025-2241HigMar 17, 2025
    risk 0.46cvss 8.2epss 0.00

    A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision…

  • CVE-2026-10609modJun 23, 2026
    risk 0.44cvss 6.8epss 0.00

    openshift/cluster-logging-operator: Cluster Logging Operator creates and forwards ServiceAccount tokens without verifying CLF creator authorization

  • CVE-2024-1139HigApr 25, 2024
    risk 0.43cvss 7.7epss 0.01

    A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret.

  • CVE-2026-10101MedMay 29, 2026
    risk 0.41cvss 6.3epss 0.00

    ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover…

  • CVE-2026-7163MedApr 30, 2026
    risk 0.40cvss 6.1epss 0.00

    A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters…

  • CVE-2025-14443MedDec 16, 2025
    risk 0.35cvss 6.4epss 0.00

    A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range…

  • CVE-2024-6538MedNov 25, 2024
    risk 0.34cvss 5.3epss 0.01

    A flaw was found in OpenShift Console. A Server Side Request Forgery (SSRF) attack can happen if an attacker supplies all or part of a URL to the server to query. The server is considered to be in a privileged network position and can often reach exposed services that aren't…

  • CVE-2015-8945MedAug 5, 2016
    risk 0.33cvss 5.1epss 0.00

    openshift-node in OpenShift Origin 1.1.6 and earlier improperly stores router credentials as envvars in the pod when the --credentials option is used, which allows local users to obtain sensitive private key information by reading the systemd journal.

  • CVE-2024-7631MedMar 19, 2025
    risk 0.28cvss 4.3epss 0.00

    A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint's lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath…

  • CVE-2024-25132MedMar 19, 2025
    risk 0.28cvss 4.3epss 0.00

    A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the…

  • CVE-2016-8651LowAug 1, 2018
    risk 0.20cvss 3.1epss 0.01

    An input validation flaw was found in the way OpenShift 3 handles requests for images. A user, with a copy of the manifest associated with an image, can pull an image even if they do not have access to the image normally, resulting in the disclosure of any information contained…

  • CVE-2019-11354Apr 19, 2019
    risk 0.06cvss epss 0.23

    The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for…

  • CVE-2019-12828Jun 14, 2019
    risk 0.04cvss epss 0.13

    An issue was discovered in Electronic Arts Origin before 10.5.39. Due to improper sanitization of the origin:// and origin2:// URI schemes, it is possible to inject additional arguments into the Origin process and ultimately leverage code execution by loading a backdoored Qt…