CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10200
https://notcve.org/view.php?id=CVE-2019-10200
19 Mar 2021 — A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high. Se detectó un fal... • https://bugzilla.redhat.com/show_bug.cgi?id=1730161 • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-10225
https://notcve.org/view.php?id=CVE-2019-10225
19 Mar 2021 — A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files. Se encontró un fallo en atomic-openshift de openshift-4.2, donde el rol de usuario básico RABC en OpenShift Container P... • https://bugzilla.redhat.com/show_bug.cgi?id=1743073 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2021-20270 – python-pygments: Infinite loop in SML lexer may lead to DoS
https://notcve.org/view.php?id=CVE-2021-20270
09 Mar 2021 — An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. Un bucle infinito en SMLLexer en Pygments versiones 1.5 hasta 2.7.3, puede conllevar a una denegación de servicio cuando se lleva a cabo el resaltado de sintaxis de un archivo fuente de Standard ML (SML), como es demostrado por la entrada que solo contiene la palabra clave "exc... • https://bugzilla.redhat.com/show_bug.cgi?id=1922136 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 37EXPL: 0CVE-2020-27827 – lldp/openvswitch: denial of service via externally triggered memory leak
https://notcve.org/view.php?id=CVE-2020-27827
28 Jan 2021 — A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un fallo en múltiples versiones de OpenvSwitch. Los paquetes LLDP especialmente diseñados pueden causar que una memoria se pierda cuando se asignan datos para manejar TLV opcionales específicos, potencialmente causan... • https://bugzilla.redhat.com/show_bug.cgi?id=1921438 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 12%CPEs: 10EXPL: 1CVE-2020-27846 – crewjam/saml: authentication bypass in saml authentication
https://notcve.org/view.php?id=CVE-2020-27846
21 Dec 2020 — A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se presenta una vulnerabilidad de verificación de firmas en crewjam/saml. Este fallo permite a un atacante omitir la autenticación SAML. • https://bugzilla.redhat.com/show_bug.cgi?id=1907670 • CWE-115: Misinterpretation of Input •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2020-27781 – ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila
https://notcve.org/view.php?id=CVE-2020-27781
18 Dec 2020 — User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. • https://bugzilla.redhat.com/show_bug.cgi?id=1900109 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-27816 – openshift/elasticsearch-operator: arbitrary URL redirection of the cluster logging kibana console
https://notcve.org/view.php?id=CVE-2020-27816
02 Dec 2020 — The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift-logging console link damage. This flaw affects elasticsearch-operator-container versions before 4.7. Elasticsearch-operator no comprueba el espacio de nombres donde el r... • https://bugzilla.redhat.com/show_bug.cgi?id=1902698 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25660 – ceph: CEPHX_V2 replay attack protection lost
https://notcve.org/view.php?id=CVE-2020-25660
23 Nov 2020 — A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph service via a packet sniffer and perform actions allowed by the Ceph service. This issue is a reintroduction of CVE-2018-1128, affecting the msgr2 protocol. The msgr 2 protocol is used for all communication exce... • https://bugzilla.redhat.com/show_bug.cgi?id=1890354 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14336 – openshift: restricted SCC allows pods to craft custom network packets
https://notcve.org/view.php?id=CVE-2020-14336
26 Oct 2020 — A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability. Se ha encontrado un fallo en las Restricciones de Contexto de Seguridad (SCC), que permite a los pods diseñar paquetes de red personalizados. Este fallo permite a un atacante causar un... • https://bugzilla.redhat.com/show_bug.cgi?id=1858981 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-10763 – heketi: gluster-block volume password details available in logs
https://notcve.org/view.php?id=CVE-2020-10763
30 Sep 2020 — An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords. Se encontró un fallo en la divulgación de información en la forma en que Heketi versiones anteriores a 10.1.0 registra información confidencial. Este fallo permite a un atacante con acceso local al servidor de Heketi leer información potencialmente confidencial, ... • https://bugzilla.redhat.com/show_bug.cgi?id=1845387 • CWE-532: Insertion of Sensitive Information into Log File •