Lucene search

K
redhatRedHatRHSA-2023:0017
HistoryJan 12, 2023 - 4:42 p.m.

(RHSA-2023:0017) Important: OpenShift Container Platform 4.8.56 packages and security update

2023-01-1216:42:52
access.redhat.com
14

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

51.5%

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.56. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2023:0018

Security Fix(es):

  • Pipeline Shared Groovy Libraries: Untrusted users can modify some
    Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
    (CVE-2022-29047)
  • Jenkins plugin: Sandbox bypass vulnerability through implicitly
    allowlisted platform Groovy files in Pipeline: Groovy Plugin
    (CVE-2022-30945)
  • Jenkins plugin: Mercurial SCM plugin can check out from the controller
    file system (CVE-2022-30948)
  • jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step
    Plugin (CVE-2022-34177)
  • jenkins-plugin: Man-in-the-Middle (MitM) in
    org.jenkins-ci.plugins:git-client (CVE-2022-36881)
  • http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
  • Jenkins plugin: CSRF vulnerability in Script Security Plugin
    (CVE-2022-30946)
  • Jenkins plugin: User-scoped credentials exposed to other users by
    Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
  • Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
  • Jenkins plugin: missing permission checks in Blue Ocean Plugin
    (CVE-2022-30954)
  • jenkins: Observable timing discrepancy allows determining username
    validity (CVE-2022-34174)
  • jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin
    (CVE-2022-34176)
  • jenkins-plugin: Cross-site Request Forgery (CSRF) in
    org.jenkins-ci.plugins:git (CVE-2022-36882)
  • jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
    (CVE-2022-36883)
  • jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
    (CVE-2022-36884)
  • jenkins plugin: Non-constant time webhook signature comparison in GitHub
    Plugin (CVE-2022-36885)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

51.5%