Openshift Security Vulnerabilities

CVE-2021-4294

A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. It....

CVE-2019-19348

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/apb-base, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their...

CVE-2019-19346

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mariadb-apb, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4 . An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their...

CVE-2013-0196

A CSRF issue was found in OpenShift Enterprise 1.2. The web console is using 'Basic authentication' and the REST API has no CSRF attack protection mechanism. This can allow an attacker to obtain the credential and the Authorization: header when requesting the REST API via web...

CVE-2013-0165

cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in OpenShift does not properly create files in...

CVE-2014-0084

Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and...

CVE-2015-3207

In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly'...

CVE-2020-10752

A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into.....

CVE-2014-0163

Openshift has shell command injection flaws due to unsanitized data being passed into shell...

CVE-2013-2095

rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command...

CVE-2013-0163

OpenShift haproxy cartridge: predictable /tmp in set-proxy connection hook which could facilitate...

CVE-2013-2103

OpenShift cartridge allows remote URL...

CVE-2014-0023

OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code...

CVE-2014-3592

OpenShift Origin: Improperly validated team names could allow stored XSS...

CVE-2018-1103

Openshift Enterprise source-to-image before version 1.1.10 is vulnerable to an improper validation of user input. An attacker who could trick a user into using the command to copy files locally, from a pod, could override files outside of the target directory of the...

CVE-2015-8945

openshift-node in OpenShift Origin 1.1.6 and earlier improperly stores router credentials as envvars in the pod when the --credentials option is used, which allows local users to obtain sensitive private key information by reading the systemd...