CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-2611
https://notcve.org/view.php?id=CVE-2017-2611
08 May 2018 — Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents. Jenkins en versiones anteriores a la 2.44, 2.32.2 es vulnerable a una exposición de información en la API interna que ... • http://www.securityfocus.com/bid/95956 • CWE-358: Improperly Implemented Security Check for Standard CWE-863: Incorrect Authorization •
CVSS: 9.9EPSS: 1%CPEs: 10EXPL: 0CVE-2018-1102 – source-to-image: Improper path sanitization in ExtractTarStreamFromTarReader in tar/tar.go
https://notcve.org/view.php?id=CVE-2018-1102
27 Apr 2018 — A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation. Se ha encontrado un error en la función source-to-image tal y como se distribuye con Openshift Enterprise 3.x. Una validación incorrecta de archivos tar en ExtractTarStreamFromTarReader en tar/tar.go conduce a un escalado de privilegios. Source-to-Image is a tool for building reproducible container images... • https://access.redhat.com/errata/RHSA-2018:1227 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 15EXPL: 0CVE-2018-1059 – dpdk: Information exposure in unchecked guest physical to host virtual address translations
https://notcve.org/view.php?id=CVE-2018-1059
24 Apr 2018 — The DPDK vhost-user interface does not check to verify that all the requested guest physical range is mapped and contiguous when performing Guest Physical Addresses to Host Virtual Addresses translations. This may lead to a malicious guest exposing vhost-user backend process memory. All versions before 18.02.1 are vulnerable. La interfaz vhost de usuario de DPDK no verifica que el rango físico invitado solicitado esté mapeado y sea contiguo al realizar traducciones de direcciones físicas de invitado a direc... • https://access.redhat.com/errata/RHSA-2018:1267 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2016-9592
https://notcve.org/view.php?id=CVE-2016-9592
16 Apr 2018 — openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable to a flaw when a volume fails to detach, which causes the delete operation to fail with 'VolumeInUse' error. Since the delete operation is retried every 30 seconds for each volume, this could lead to a denial of service attack as the number of API requests being sent to the cloud-provider exceeds the API's rate-limit. openshift, en versiones anteriores a la 3.3.1.11, 3.2.1.23 y 3.4, es vulnerable a un error cuando un volumen fracasa a la hora d... • http://www.securityfocus.com/bid/94991 • CWE-399: Resource Management Errors CWE-460: Improper Cleanup on Thrown Exception •
CVSS: 5.4EPSS: 0%CPEs: 9EXPL: 0CVE-2017-7534
https://notcve.org/view.php?id=CVE-2017-7534
11 Apr 2018 — OpenShift Enterprise version 3.x is vulnerable to a stored XSS via the log viewer for pods. The flaw is due to lack of sanitation of user input, specifically terminal escape characters, and the creation of clickable links automatically when viewing the log files for a pod. Las versiones 3.x de OpenShift Enterprise son vulnerables a Cross-Site Scripting (XSS) persistente mediante el visor de logs para pods. El error se debe a la falta de saneamiento de entradas de usuario, específicamente los caracteres de e... • http://www.securityfocus.com/bid/103754 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1069
https://notcve.org/view.php?id=CVE-2018-1069
09 Mar 2018 — Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems. An attacker could override the UserId and GroupId for GlusterFS and NFS to read and write any data on the network filesystem. Red Hat OpenShift Enterprise 3.7 es vulnerable a un reemplazo del control de acceso para los sistemas de archivos de red de contenedor. Un atacante podría reemplazar UserId y GroupId en GlusterFS y NFS para leer y escribir cualquier dato en el sistema de archivos de re... • http://www.securityfocus.com/bid/103364 • CWE-284: Improper Access Control CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4364
https://notcve.org/view.php?id=CVE-2013-4364
08 Jan 2018 — (1) oo-analytics-export and (2) oo-analytics-import in the openshift-origin-broker-util package in Red Hat OpenShift Enterprise 1 and 2 allow local users to have unspecified impact via a symlink attack on an unspecified file in /tmp. (1) oo-analytics-export y (2) oo-analytics-import en el paquete openshift-origin-broker-util en Red Hat OpenShift Enterprise 1 y 2 permiten que los usuarios locales provoquen un impacto sin especificar mediante un ataque symlink en un archivo no especificado en /tmp. • https://bugzilla.redhat.com/show_bug.cgi?id=1009734 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-0238
https://notcve.org/view.php?id=CVE-2015-0238
25 Sep 2017 — selinux-policy as packaged in Red Hat OpenShift 2 allows attackers to obtain process listing information via a privilege escalation attack. selinux-policy tal y como está incluido en Red Hat OpenShift 2 permite que los atacantes obtengan información de la lista de procesos mediante un ataque de escalado de privilegios. • https://access.redhat.com/security/cve/CVE-2015-0238 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-7561
https://notcve.org/view.php?id=CVE-2015-7561
07 Aug 2017 — Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image. Kubernetes en OpenShift3 permite que atacantes remotos autenticados empleen las imágenes privadas de otros usuarios si conocen el nombre de dicha imagen. • https://bugzilla.redhat.com/show_bug.cgi?id=1291963 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.0EPSS: 0%CPEs: 9EXPL: 0CVE-2017-1000376 – Qualys Security Advisory - the Stack Clash
https://notcve.org/view.php?id=CVE-2017-1000376
19 Jun 2017 — libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1. libffi solicita una pila ejecutable que permite que los atacantes desencadenen con más fa... • http://www.debian.org/security/2017/dsa-3889 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •