CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5274 – 2.2: API command injection vulnerability
https://notcve.org/view.php?id=CVE-2015-5274
rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remote authenticated users to execute arbitrary commands via a crafted request to the Broker. Vulnerabilidad en rubygem-openshift-origin-console en Red Hat OpenShift 2.2, permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de una petición manipulada solicitada al Broker. A command injection flaw was found in the OpenShift Origin Management Console. A remote, authenticated user permitted to send requests to the Broker could use this flaw to execute arbitrary commands with elevated privileges on the Red Hat OpenShift server. • http://rhn.redhat.com/errata/RHSA-2015-1808.html https://access.redhat.com/security/cve/CVE-2015-5274 https://bugzilla.redhat.com/show_bug.cgi?id=1262518 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5250 – OpenShift: Malformed JSON can cause API process crash
https://notcve.org/view.php?id=CVE-2015-5250
The API server in OpenShift Origin 1.0.5 allows remote attackers to cause a denial of service (master process crash) via crafted JSON data. Vulnerabilidad en el servidor API en OpenShift Origin 1.0.5, permite a atacantes remotos causar una denegación de servicio (caída del proceso maestro) a través de datos JSON manipulados. It was found that improper error handling in the API server could cause the master process to crash. A user with network access to the master could use this flaw to crash the master process. • https://access.redhat.com/errata/RHSA-2015:1736 https://bugzilla.redhat.com/show_bug.cgi?id=1259867 https://github.com/openshift/origin/issues/4374 https://access.redhat.com/security/cve/CVE-2015-5250 • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5222 – OpenShift3: Exec operations should be forbidden to privileged pods such as builder pods
https://notcve.org/view.php?id=CVE-2015-5222
Red Hat OpenShift Enterprise 3.0.0.0 does not properly check permissions, which allows remote authenticated users with build permissions to execute arbitrary shell commands with root permissions on arbitrary build pods via unspecified vectors. Vulnerabilidad en Red Hat OpenShift Enterprise 3.0.0.0 no verifica correctamente los permisos lo cual permite a usuarios remotos autenticados con permisos de creación ejecutar arbitrariamente comandos shell con permisos root sobre pods creados a través de vectores no especificados. An improper permission check issue was discovered in the server admission control component in OpenShift. A user with build permissions could use this flaw to execute arbitrary shell commands on a build pod with the privileges of the root user. • https://access.redhat.com/errata/RHSA-2015:1650 https://access.redhat.com/security/cve/CVE-2015-5222 https://bugzilla.redhat.com/show_bug.cgi?id=1255120 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 1CVE-2012-6685 – rubygem-nokogiri: XML eXternal Entity (XXE) flaw
https://notcve.org/view.php?id=CVE-2012-6685
Nokogiri before 1.5.4 is vulnerable to XXE attacks Nokogiri versiones anteriores a 1.5.4, es vulnerable a ataques de tipo XXE. • https://bugzilla.redhat.com/show_bug.cgi?id=1178970 https://github.com/sparklemotion/nokogiri/issues/693 https://nokogiri.org/CHANGELOG.html#154-2012-06-12 https://access.redhat.com/security/cve/CVE-2012-6685 • CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 4.0EPSS: 0%CPEs: 16EXPL: 0CVE-2014-3602 – OpenShift: /proc/net/tcp information disclosure
https://notcve.org/view.php?id=CVE-2014-3602
Red Hat OpenShift Enterprise before 2.2 allows local users to obtain IP address and port number information for remote systems by reading /proc/net/tcp. Red Hat OpenShift Enterprise anterior a 2.2 permite a usuarios locales obtener direcciones IP y otra información para sistemas remotos mediante la lectura de /proc/net/tcp. It was found that OpenShift Enterprise did not restrict access to the /proc/net/tcp file in gears, which allowed local users to view all listening connections and connected sockets. This could result in remote system's IP or port numbers in use to be exposed, which may be useful for further targeted attacks. • http://rhn.redhat.com/errata/RHSA-2014-1796.html http://rhn.redhat.com/errata/RHSA-2014-1906.html https://access.redhat.com/security/cve/CVE-2014-3602 https://bugzilla.redhat.com/show_bug.cgi?id=1131680 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •