CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2241 – Hive: exposure of vcenter credentials via clusterprovision in hive / mce / acm
https://notcve.org/view.php?id=CVE-2025-2241
17 Mar 2025 — A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation. • https://access.redhat.com/security/cve/CVE-2025-2241 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9779 – Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
https://notcve.org/view.php?id=CVE-2024-9779
17 Dec 2024 — A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token ... • https://access.redhat.com/security/cve/CVE-2024-9779 • CWE-501: Trust Boundary Violation •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5042 – Submariner-operator: rbac permissions can allow for the spread of node compromises
https://notcve.org/view.php?id=CVE-2024-5042
17 May 2024 — A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster. Se encontró un fallo en el proyecto Submariner. Debido a permisos innecesarios de control de acceso basados en roles, un atacante privilegiado puede ejecutar un contenedor malicioso en un nodo que puede permitirle robar token... • https://access.redhat.com/security/cve/CVE-2024-5042 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 8.3EPSS: 0%CPEs: 44EXPL: 0CVE-2024-3727 – Containers/image: digest type does not guarantee valid type
https://notcve.org/view.php?id=CVE-2024-3727
09 May 2024 — A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. Se encontró una falla en la librería github.com/containers/image. Esta falla permite a los atacantes activar accesos inesperados al registro autenticado en nombre de un usuario víctima, lo que provoca agotamiento de recursos, path traversal local y otros ataques. Red Hat ... • https://access.redhat.com/errata/RHSA-2024:0045 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1139 – Cluster-monitoring-operator: credentials leak
https://notcve.org/view.php?id=CVE-2024-1139
25 Apr 2024 — A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret. Se encontró una vulnerabilidad de fuga de credenciales en el operador de monitoreo de clúster en OCP. Este problema puede permitir que un atacante remoto que tenga credenciales de inicio de sesión básicas verifique el manifiesto del pod para descubrir un secreto de extracción del repositori... • https://access.redhat.com/errata/RHSA-2024:1887 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2024-0874 – Coredns: cd bit response is cached and served later
https://notcve.org/view.php?id=CVE-2024-0874
25 Apr 2024 — A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching. Se encontró una falla en coredns. Este problema podría provocar que se devuelvan entradas de caché no válidas debido a un almacenamiento en caché implementado incorrectamente. Red Hat OpenShift Container Platform release 4.15.24 is now available with updates to packages and images that fix several bugs and add enhancements. • https://access.redhat.com/errata/RHSA-2024:0041 • CWE-524: Use of Cache Containing Sensitive Information •