Total
171 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7517 | 1 Redhat | 1 Openshift | 2025-05-13 | N/A | 3.5 LOW |
| An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift. If a user creates a project called "MyProject", and then later deletes it another user can then create a project called "MyProject" and access the metrics stored from the original "MyProject" instance. | |||||
| CVE-2013-4253 | 1 Redhat | 1 Openshift | 2025-05-09 | N/A | 7.5 HIGH |
| The deployment script in the unsupported "OpenShift Extras" set of add-on scripts, in Red Hat Openshift 1, installs a default public key in the root user's authorized_keys file. | |||||
| CVE-2013-4281 | 1 Redhat | 1 Openshift | 2025-05-09 | N/A | 5.5 MEDIUM |
| In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could allow users with local access to the broker to read this file. | |||||
| CVE-2022-3262 | 1 Redhat | 1 Openshift | 2025-04-23 | N/A | 8.1 HIGH |
| A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability. | |||||
| CVE-2022-3260 | 1 Redhat | 1 Openshift | 2025-04-23 | N/A | 4.8 MEDIUM |
| The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack.. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. | |||||
| CVE-2022-3259 | 1 Redhat | 1 Openshift | 2025-04-22 | N/A | 7.4 HIGH |
| Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks. | |||||
| CVE-2017-1000376 | 4 Debian, Libffi Project, Oracle and 1 more | 6 Debian Linux, Libffi, Peopletools and 3 more | 2025-04-20 | 6.9 MEDIUM | 7.0 HIGH |
| libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1. | |||||
| CVE-2015-7501 | 1 Redhat | 15 Data Grid, Jboss A-mq, Jboss Bpm Suite and 12 more | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | |||||
| CVE-2015-0238 | 1 Redhat | 1 Openshift | 2025-04-20 | 2.1 LOW | 3.3 LOW |
| selinux-policy as packaged in Red Hat OpenShift 2 allows attackers to obtain process listing information via a privilege escalation attack. | |||||
| CVE-2015-7561 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift | 2025-04-20 | 3.5 LOW | 3.1 LOW |
| Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image. | |||||
| CVE-2016-5409 | 1 Redhat | 1 Openshift | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Red Hat OpenShift Enterprise 2 does not include the HTTPOnly flag in a Set-Cookie header for the GEARID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies. | |||||
| CVE-2016-2160 | 1 Redhat | 2 Openshift, Openshift Origin | 2025-04-12 | 9.0 HIGH | 8.8 HIGH |
| Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allow remote authenticated users to execute commands with root privileges by changing the root password in an sti builder image. | |||||
| CVE-2016-5418 | 3 Libarchive, Oracle, Redhat | 10 Libarchive, Linux, Enterprise Linux Desktop and 7 more | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file. | |||||
| CVE-2015-7538 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors. | |||||
| CVE-2016-0788 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 10.0 HIGH | 9.8 CRITICAL |
| The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener. | |||||
| CVE-2016-2074 | 2 Openvswitch, Redhat | 2 Openvswitch, Openshift | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| Buffer overflow in lib/flow.c in ovs-vswitchd in Open vSwitch 2.2.x and 2.3.x before 2.3.3 and 2.4.x before 2.4.1 allows remote attackers to execute arbitrary code via crafted MPLS packets, as demonstrated by a long string in an ovs-appctl command. | |||||
| CVE-2014-3680 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2025-04-12 | 4.0 MEDIUM | N/A |
| Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM. | |||||
| CVE-2015-5254 | 3 Apache, Fedoraproject, Redhat | 3 Activemq, Fedora, Openshift | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. | |||||
| CVE-2016-2142 | 1 Redhat | 1 Openshift | 2025-04-12 | 2.1 LOW | 5.5 MEDIUM |
| Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on the /etc/origin/master/master-config.yaml configuration file, which allows local users to obtain Active Directory credentials by reading the file. | |||||
| CVE-2016-5392 | 1 Redhat | 1 Openshift | 2025-04-12 | 6.8 MEDIUM | 6.5 MEDIUM |
| The API server in Kubernetes, as used in Red Hat OpenShift Enterprise 3.2, in a multi tenant environment allows remote authenticated users with knowledge of other project names to obtain sensitive project and user information via vectors related to the watch-cache list. | |||||