CVSS: 5.5EPSS: 1%CPEs: 31EXPL: 0CVE-2024-1300 – Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
https://notcve.org/view.php?id=CVE-2024-1300
02 Apr 2024 — A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error. Una vulnerabilidad en Eclipse Vert.x toolkit provoca una pérdida de m... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.8EPSS: 3%CPEs: 31EXPL: 0CVE-2024-1023 – Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
https://notcve.org/view.php?id=CVE-2024-1023
27 Mar 2024 — A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory le... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 1%CPEs: 38EXPL: 0CVE-2024-1394 – Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads
https://notcve.org/view.php?id=CVE-2024-1394
21 Mar 2024 — A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fa... • https://access.redhat.com/errata/RHSA-2024:1462 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.7EPSS: 0%CPEs: 11EXPL: 0CVE-2024-0793 – Kube-controller-manager: malformed hpa v1 manifest causes crash
https://notcve.org/view.php?id=CVE-2024-0793
20 Mar 2024 — A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn. Red Hat OpenShift Container Platform release 4.12.53 is now available with updates to packages and images that fix several bugs and add enhancements. • https://access.redhat.com/errata/RHSA-2024:0741 • CWE-20: Improper Input Validation •
CVSS: 8.6EPSS: 0%CPEs: 28EXPL: 0CVE-2024-1753 – Buildah: full container escape at build time
https://notcve.org/view.php?id=CVE-2024-1753
18 Mar 2024 — A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time. Se encontró una fa... • https://access.redhat.com/errata/RHSA-2024:2049 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2024-1725 – Kubevirt-csi: persistentvolume allows access to hcp's root node
https://notcve.org/view.php?id=CVE-2024-1725
07 Mar 2024 — A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node. Se encontró una falla en el componente kubevirt-csi del plano de control alojado (HCP) de OpenShift Virtualization. Este problema podría permitir que un atacante autenticado obtenga acceso al volumen del nodo trabajador HCP raí... • https://access.redhat.com/errata/RHSA-2024:1559 • CWE-501: Trust Boundary Violation •
CVSS: 7.8EPSS: 0%CPEs: 17EXPL: 0CVE-2023-3966 – Openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet
https://notcve.org/view.php?id=CVE-2023-3966
22 Feb 2024 — A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled. Se encontró una falla en Open vSwitch donde varias versiones son vulnerables a paquetes Geneve manipulados, lo que puede resultar en una denegación de servicio y accesos a memoria no válidos. Para desencadenar este problema es necesario que la descarga de... • https://access.redhat.com/security/cve/CVE-2023-3966 • CWE-248: Uncaught Exception •
CVSS: 9.4EPSS: 63%CPEs: 26EXPL: 0CVE-2024-1635 – Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol
https://notcve.org/view.php?id=CVE-2024-1635
19 Feb 2024 — A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting Ser... • https://access.redhat.com/errata/RHSA-2024:1674 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.0EPSS: 1%CPEs: 3EXPL: 0CVE-2024-1485 – Registry-support: decompress can delete files outside scope via relative paths
https://notcve.org/view.php?id=CVE-2024-1485
13 Feb 2024 — A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed. Se encontró una vulnerabilidad en la función de descompresión del soporte de registro. Este problema puede ser desencadenado por un atacante re... • https://access.redhat.com/security/cve/CVE-2024-1485 • CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6596 – Openshift: incomplete fix for rapid reset (cve-2023-44487/cve-2023-39325)
https://notcve.org/view.php?id=CVE-2023-6596
09 Feb 2024 — An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers. Se envió una solución incompleta para la vulnerabilidad Rapid Reset (CVE-2023-44487/CVE-2023-39325) para OpenShift Containers. Red Hat OpenShift Container Platform release 4.11.58 is now available with updates to packages and images that fix several bugs and add enhancements. • https://access.redhat.com/errata/RHSA-2024:0485 • CWE-400: Uncontrolled Resource Consumption •