CVSS: 5.0EPSS: %CPEs: 5EXPL: 0CVE-2025-5987 – Libssh: invalid return code for chacha20 poly1305 with openssl backend
https://notcve.org/view.php?id=CVE-2025-5987
05 Jul 2025 — A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes. Th... • https://access.redhat.com/security/cve/CVE-2025-5987 • CWE-393: Return of Wrong Status Code •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9453 – Jenkins-image: sensitive data disclosure when using openshift jenkins image
https://notcve.org/view.php?id=CVE-2024-9453
04 Jul 2025 — A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the environment if they have access to sensitive information. Se encontró una vulnerabilidad en Red Hat OpenShift Jenkins. • https://access.redhat.com/security/cve/CVE-2024-9453 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-5351 – Libssh: double free vulnerability in libssh key export functions
https://notcve.org/view.php?id=CVE-2025-5351
04 Jul 2025 — A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.... • https://access.redhat.com/security/cve/CVE-2025-5351 • CWE-415: Double Free •
CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0CVE-2025-5372 – Libssh: incorrect return code handling in ssh_kdf() in libssh
https://notcve.org/view.php?id=CVE-2025-5372
04 Jul 2025 — A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, in... • https://access.redhat.com/security/cve/CVE-2025-5372 • CWE-682: Incorrect Calculation •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-6017 – Rhacm: users with clusterreader role can see credentials from managed-clusters
https://notcve.org/view.php?id=CVE-2025-6017
02 Jul 2025 — A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors. Se detectó una falla en Red Hat Advanced Cluster Management en las version... • https://access.redhat.com/security/cve/CVE-2025-6017 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6920 – Ai-inference-server: authentication bypass via unprotected inference endpoint in api
https://notcve.org/view.php?id=CVE-2025-6920
01 Jul 2025 — A flaw was found in the authentication enforcement mechanism of a model inference API in ai-inference-server. All /v1/* endpoints are expected to enforce API key validation. However, the POST /invocations endpoint failed to do so, resulting in an authentication bypass. This vulnerability allows unauthorized users to access the same inference features available on protected endpoints, potentially exposing sensitive functionality or allowing unintended access to backend resources. Se detectó una falla en el m... • https://access.redhat.com/security/cve/CVE-2025-6920 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-49520 – Event-driven-ansible: authenticated argument injection in git url in eda project creation
https://notcve.org/view.php?id=CVE-2025-49520
30 Jun 2025 — A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access. • https://access.redhat.com/errata/RHSA-2025:9986 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-49521 – Event-driven-ansible: template injection via git branch and refspec in eda projects
https://notcve.org/view.php?id=CVE-2025-49521
30 Jun 2025 — A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. • https://access.redhat.com/errata/RHSA-2025:9986 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.0EPSS: 0%CPEs: 23EXPL: 7CVE-2025-32462 – sudo: LPE via host option
https://notcve.org/view.php?id=CVE-2025-32462
30 Jun 2025 — Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines. A privilege escalation vulnerability was found in Sudo. In certain configurations, unauthorized users can gain elevated system privileges via the Sudo host option (`-h` or `--host`). When using the default sudo security policy plugin (sudoers), the host option is intended to be used in conjunction with the list option (`-l` or `--... • https://github.com/CryingN/CVE-2025-32462 • CWE-863: Incorrect Authorization •
CVSS: 6.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-5731 – Infinispan: credential leakage in infinispan cli
https://notcve.org/view.php?id=CVE-2025-5731
26 Jun 2025 — A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found. An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from t... • https://access.redhat.com/security/cve/CVE-2025-5731 • CWE-209: Generation of Error Message Containing Sensitive Information •