CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10354 – jenkins: Unauthorized view fragment access (SECURITY-534)
https://notcve.org/view.php?id=CVE-2019-10354
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. Una vulnerabilidad en el framework web Stapler usado en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, ha permitido a los atacantes acceder directamente a los fragmentos de visualización, omitiendo las comprobaciones de permisos y posiblemente obtener información confidencial. • http://www.openwall.com/lists/oss-security/2019/07/17/2 http://www.securityfocus.com/bid/109373 https://access.redhat.com/errata/RHSA-2019:2503 https://access.redhat.com/errata/RHSA-2019:2548 https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534 https://access.redhat.com/security/cve/CVE-2019-10354 https://bugzilla.redhat.com/show_bug.cgi?id=1730869 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2019-3889 – atomic-openshift: reflected XSS in authentication flow
https://notcve.org/view.php?id=CVE-2019-3889
A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform versions: openshift-online-3, openshift-enterprise-3.4 through 3.7 and openshift-enterprise-3.9 through 3.11. An attacker could use this flaw to steal authorization data by getting them to click on a malicious link. Se presenta una vulnerabilidad de tipo XSS reflejada en el flujo de autorización de OpenShift Container Platform versiones: openshift-online- versión 3, openshift-enterprise- versiones 3.4 hasta 3.7 y openshift-enterprise- versiones 3.9 hasta 3.11. Un atacante podría utilizar este defecto para robar datos de autorización logrando que hagan clic en un enlace malicioso. A reflected XSS vulnerability exists in the authentication flow of the OpenShift Container Platform. • https://access.redhat.com/errata/RHSA-2019:3722 https://access.redhat.com/errata/RHSA-2019:3770 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3889 https://access.redhat.com/security/cve/CVE-2019-3889 https://bugzilla.redhat.com/show_bug.cgi?id=1693499 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10165 – openshift: OAuth access tokens written in plaintext to API server audit logs
https://notcve.org/view.php?id=CVE-2019-10165
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources. OpenShift Container Platform anterior a versión 4.1.3, escribe tokens OAuth en texto plano en los registros de auditoría para el servidor de la API Kubernetes y el servidor de la API OpenShift. Un usuario con privilegios suficientes podría recuperar tokens OAuth de estos registros de auditoría y usarlos para acceder a otros recursos. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10165 https://github.com/openshift/cluster-kube-apiserver-operator/pull/499 https://github.com/openshift/cluster-openshift-apiserver-operator/pull/205 https://access.redhat.com/security/cve/CVE-2019-10165 https://bugzilla.redhat.com/show_bug.cgi?id=1719092 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10150 – atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repository
https://notcve.org/view.php?id=CVE-2019-10150
It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output. Se encontró que OpenShift Container Platform versiones 3.6.x hasta 4.6.0, no realizan la comprobación de clave del host SSH cuando es usada la autenticación de la clave ssh durante las compilaciones. Un atacante, con la capacidad de redireccionar el tráfico de la red, podría usar esto para alterar la salida de compilación resultante. It was found that OpenShift Container Platform does not perform SSH Host Key checking when using ssh key authentication during builds. • https://access.redhat.com/errata/RHSA-2019:2989 https://access.redhat.com/errata/RHSA-2019:3007 https://access.redhat.com/errata/RHSA-2019:3143 https://access.redhat.com/errata/RHSA-2019:3811 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150 https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication https://access.redhat.com/security/cve/CVE-2019-10150 https://bugzilla.redhat.com/show_bug.cgi?id=1713433 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-3899 – heketi: heketi can be installed using insecure defaults
https://notcve.org/view.php?id=CVE-2019-3899
It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11. Se encontró que la configuración predeterminada de Heketi no requiere ninguna autenticación, y expone potencialmente la interfaz de gestión a un mal uso. Esta situación sólo afecta a heketi tal y como se envía con Openshift Container Platform versión 3.11. It was found that the default configuration of Heketi does not require any authentication, potentially exposing the Heketi server API to be misused. • https://access.redhat.com/errata/RHSA-2019:3255 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3899 https://access.redhat.com/security/cve/CVE-2019-3899 https://bugzilla.redhat.com/show_bug.cgi?id=1701091 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function CWE-592: DEPRECATED: Authentication Bypass Issues •