CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-12133 – Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos
https://notcve.org/view.php?id=CVE-2024-12133
10 Feb 2025 — A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack. USN-7275-1 fixed vulnerabilities in Libtasn1. This update provides the corresponding updates for Ubuntu 24.04 LTS. • https://access.redhat.com/security/cve/CVE-2024-12133 • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56161
https://notcve.org/view.php?id=CVE-2024-56161
03 Feb 2025 — Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP. • https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-23367 – Org.wildfly.core:wildfly-server: wildfly improper rbac permission
https://notcve.org/view.php?id=CVE-2025-23367
30 Jan 2025 — A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whet... • https://access.redhat.com/security/cve/CVE-2025-23367 • CWE-284: Improper Access Control •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-13484 – Openshift-gitops-operator-container: namespace isolation break
https://notcve.org/view.php?id=CVE-2024-13484
28 Jan 2025 — A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied. A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace... • https://access.redhat.com/security/cve/CVE-2024-13484 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0754 – Envoyproxy: openshift service mesh 2.6.3 and 2.5.6 envoy header handling allows log injection and potential spoofing
https://notcve.org/view.php?id=CVE-2025-0754
28 Jan 2025 — The vulnerability was found in OpenShift Service Mesh 2.6.3 and 2.5.6. This issue occurs due to improper sanitization of HTTP headers by Envoy, particularly the x-forwarded-for header. This lack of sanitization can allow attackers to inject malicious payloads into service mesh logs, leading to log injection and spoofing attacks. Such injections can mislead logging mechanisms, enabling attackers to manipulate log entries or execute reflected cross-site scripting (XSS) attacks. • https://access.redhat.com/security/cve/CVE-2025-0754 • CWE-117: Improper Output Neutralization for Logs •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0752 – Envoyproxy: openshift service mesh envoy http header sanitization bypass leading to dos and unauthorized access
https://notcve.org/view.php?id=CVE-2025-0752
28 Jan 2025 — A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rate-limiter avoidance, access-control bypass, CPU and memory exhaustion, and replay attacks may be possible due to improper HTTP header sanitization in Envoy. • https://access.redhat.com/security/cve/CVE-2025-0752 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0750 – Cri-o: cri-o path traversal in log handling functions allows arbitrary unmounting
https://notcve.org/view.php?id=CVE-2025-0750
28 Jan 2025 — A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmounting critical system directories. Red Hat OpenShift Container Platform release 4.17.16 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a traversal vulnerability. • https://access.redhat.com/security/cve/CVE-2025-0750 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0736 – Org.infinispan-infinispan-parent: exposure of sensitive information in application logs
https://notcve.org/view.php?id=CVE-2025-0736
28 Jan 2025 — A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors. An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. • https://access.redhat.com/security/cve/CVE-2025-0736 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4975 – Rhacs: cross-site scripting in portal
https://notcve.org/view.php?id=CVE-2022-4975
27 Jan 2025 — A flaw was found in the Red Hat Advanced Cluster Security (RHACS) portal. When rendering a table view in the portal, for example, on any of the /main/configmanagement/* endpoints, the front-end generates a DOM table-element (id="pdf-table"). This information is then populated with unsanitized data using innerHTML. An attacker with some control over the data rendered can trigger a cross-site scripting (XSS) vulnerability. • https://access.redhat.com/security/cve/CVE-2022-4975 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •