Openshift@* Security Vulnerabilities and Issues — Openshift@* CVE List

Lucene search

RedhatOpenshift*

10 matches found

CVE•added 2022/09/01 9:15 p.m.•1983 views

CVE-2022-2403

A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by read...

6.5CVSS6.3AI score0.00672EPSS

CVE•added 2022/08/24 4:15 p.m.•153 views

CVE-2021-4125

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.

8.1CVSS9.4AI score0.94358EPSS

CVE•added 2022/09/01 9:15 p.m.•131 views

CVE-2022-1677

In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct tra...

6.3CVSS6.2AI score0.00098EPSS

CVE•added 2022/12/09 6:15 p.m.•123 views

CVE-2022-3259

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.

7.4CVSS7.3AI score0.00062EPSS

CVE•added 2022/09/01 9:15 p.m.•82 views

CVE-2022-1632

An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confid...

6.5CVSS6.3AI score0.00129EPSS

CVE•added 2022/12/08 4:15 p.m.•80 views

CVE-2022-3260

The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack.. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.

4.8CVSS5.1AI score0.00148EPSS

CVE•added 2022/12/08 4:15 p.m.•68 views

CVE-2022-3262

A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability.

8.1CVSS7.8AI score0.00348EPSS

CVE•added 2022/04/11 8:15 p.m.•60 views

CVE-2021-4047

The release of OpenShift 4.9.6 included four CVE fixes for the haproxy package, however the patch for CVE-2021-39242 was missing. This issue only affects Red Hat OpenShift 4.9.

7.5CVSS7.5AI score0.00467EPSS

CVE•added 2022/10/19 6:15 p.m.•54 views

CVE-2013-4253

The deployment script in the unsupported "OpenShift Extras" set of add-on scripts, in Red Hat Openshift 1, installs a default public key in the root user's authorized_keys file.

7.5CVSS8.6AI score0.00052EPSS

CVE•added 2022/10/19 6:15 p.m.•40 views

CVE-2013-4281

In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could allow users with local access to the broker to read this file.

5.5CVSS7AI score0.0002EPSS