CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15138
https://notcve.org/view.php?id=CVE-2017-15138
13 Aug 2018 — The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens. La lectura en clúster de OpenShift Enterprise puede acceder a tokens webhook que permitirían a un atacante con privilegios suficientes ver tokens webhook confidenciales. • https://access.redhat.com/errata/RHBA-2018:0489 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 1CVE-2018-13988 – poppler: out of bounds read in pdfunite
https://notcve.org/view.php?id=CVE-2018-13988
22 Jul 2018 — Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file. Poppler hasta la versión 0.62 contiene una vulnerabilidad de lectura fuera de límites debido a un acceso incorrecto a la memoria que no se mapea en su espacio de memoria, tal y como queda demostrado con pdfuni... • https://packetstorm.news/files/id/148661 • CWE-125: Out-of-bounds Read •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-15137
https://notcve.org/view.php?id=CVE-2017-15137
16 Jul 2018 — The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed. La lista blanca de importación de imágenes de OpenShift falló a la hora de aplicar restricciones correctamente al ejecutar comandos como, por ejemplo, "oc tag". Esto podría permitir que un usuario con acceso a OpenShift ejecute imágenes de registros en los que no debería es... • https://access.redhat.com/errata/RHBA-2018:0489 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2018-12910 – libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames
https://notcve.org/view.php?id=CVE-2018-12910
03 Jul 2018 — The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname. La función get_cookies en soup-cookie-jar.c en libsoup 2.63.2 permite que los atacantes provoquen un impacto no especificado mediante un nombre de host vacío. An out-of-bounds read has been discovered in libsoup when getting cookies from a URI with empty hostname. An attacker may use this flaw to cause a crash in the application. GNOME is the default desktop environment of Red H... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00003.html • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2018-13033 – binutils: Uncontrolled Resource Consumption in execution of nm
https://notcve.org/view.php?id=CVE-2018-13033
01 Jul 2018 — The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm. La biblioteca Binary File Descriptor (BFD), conocida como libbfd, tal y como se distribuye en GNU Binutils 2.30 y anteriores permite que atacantes remotos provoquen... • http://www.securityfocus.com/bid/104584 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10843 – source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code
https://notcve.org/view.php?id=CVE-2018-10843
27 Jun 2018 — source-to-image component of Openshift Container Platform before versions atomic-openshift 3.7.53, atomic-openshift 3.9.31 is vulnerable to a privilege escalation which allows the assemble script to run as the root user in a non-privileged container. An attacker can use this flaw to open network connections, and possibly other actions, on the host which are normally only available to a root user. El componente source-to-image de Openshift Container Platform en versiones anteriores a atomic-openshift 3.7.53 ... • https://access.redhat.com/errata/RHSA-2018:2013 • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1085 – openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication
https://notcve.org/view.php?id=CVE-2018-1085
15 Jun 2018 — openshift-ansible before versions 3.9.23, 3.7.46 deploys a misconfigured etcd file that causes the SSL client certificate authentication to be disabled. Quotations around the values of ETCD_CLIENT_CERT_AUTH and ETCD_PEER_CLIENT_CERT_AUTH in etcd.conf result in etcd being configured to allow remote users to connect without any authentication if they can access the etcd server bound to the network on the master nodes. An attacker could use this flaw to read and modify all the data about the Openshift cluster ... • https://access.redhat.com/errata/RHSA-2018:2013 • CWE-287: Improper Authentication CWE-592: DEPRECATED: Authentication Bypass Issues •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1070 – Routing: Malicous Service configuration can bring down routing for an entire shard.
https://notcve.org/view.php?id=CVE-2018-1070
12 Jun 2018 — routing before version 3.10 is vulnerable to an improper input validation of the Openshift Routing configuration which can cause an entire shard to be brought down. A malicious user can use this vulnerability to cause a Denial of Service attack for other users of the router shard. routing en versiones anteriores a la 3.10 es vulnerable a una validación de entradas incorrecta de la configuración de Openshift Routing que puede permitir que una partición entera se caiga. Un usuario malicioso puede emplear esta... • https://access.redhat.com/errata/RHSA-2018:2013 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 2%CPEs: 42EXPL: 0CVE-2018-10237 – guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
https://notcve.org/view.php?id=CVE-2018-10237
26 Apr 2018 — Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Asignación de memoria ... • http://www.securitytracker.com/id/1041707 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 9%CPEs: 17EXPL: 0CVE-2018-5968 – jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)
https://notcve.org/view.php?id=CVE-2018-5968
22 Jan 2018 — FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. FasterXML jackson-databind, hasta la versión 2.8.11 y las versiones 2.9.x hasta la 2.9.3, permite la ejecución remota de código sin autenticar debido a una solución incompleta para los errores de deserialización CVE-2017-7525 y CVE-2017-... • https://access.redhat.com/errata/RHSA-2018:0478 • CWE-184: Incomplete List of Disallowed Inputs CWE-502: Deserialization of Untrusted Data •