CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2241 – Hive: exposure of vcenter credentials via clusterprovision in hive / mce / acm
https://notcve.org/view.php?id=CVE-2025-2241
17 Mar 2025 — A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation. • https://access.redhat.com/security/cve/CVE-2025-2241 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9779 – Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
https://notcve.org/view.php?id=CVE-2024-9779
17 Dec 2024 — A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token ... • https://access.redhat.com/security/cve/CVE-2024-9779 • CWE-501: Trust Boundary Violation •
CVSS: 8.3EPSS: 0%CPEs: 44EXPL: 0CVE-2024-3727 – Containers/image: digest type does not guarantee valid type
https://notcve.org/view.php?id=CVE-2024-3727
09 May 2024 — A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. Se encontró una falla en la librería github.com/containers/image. Esta falla permite a los atacantes activar accesos inesperados al registro autenticado en nombre de un usuario víctima, lo que provoca agotamiento de recursos, path traversal local y otros ataques. Red Hat ... • https://access.redhat.com/errata/RHSA-2024:0045 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2024-0874 – Coredns: cd bit response is cached and served later
https://notcve.org/view.php?id=CVE-2024-0874
25 Apr 2024 — A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching. Se encontró una falla en coredns. Este problema podría provocar que se devuelvan entradas de caché no válidas debido a un almacenamiento en caché implementado incorrectamente. Red Hat OpenShift Container Platform release 4.15.24 is now available with updates to packages and images that fix several bugs and add enhancements. • https://access.redhat.com/errata/RHSA-2024:0041 • CWE-524: Use of Cache Containing Sensitive Information •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3248 – Openshift api admission checks does not enforce "custom-host" permissions
https://notcve.org/view.php?id=CVE-2022-3248
05 Oct 2023 — A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied. Se encontró una falla en la API de OpenShift, ya que las comprobaciones de admisión no aplican permisos de "custom-host". Este problema podría permitir que un atacante viole los límites, ya que no se aplicarán los permisos. • https://access.redhat.com/security/cve/CVE-2022-3248 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3027 – ACM: governance policy propagator privilege escalation
https://notcve.org/view.php?id=CVE-2023-3027
05 Jun 2023 — The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created. Red Hat Advanced Cluster Management for Kubernetes 2.8.1 images Red Hat Advanced Cluster Management for Kubernetes prov... • https://bugzilla.redhat.com/show_bug.cgi?id=2211468#c0 • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3841 – RHACM: unauthenticated SSRF in console API endpoint
https://notcve.org/view.php?id=CVE-2022-3841
11 Jan 2023 — RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauthenticated users making requests. RHACM: SSRF no autenticado en el endpoint de la API de la consola. Se encontró una vulnerabilidad Server-Side Request Forgery (SSRF) en el endpoint de l... • https://access.redhat.com/security/cve/CVE-2022-3841 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2238 – search-api: SQL injection leads to remote denial of service
https://notcve.org/view.php?id=CVE-2022-2238
01 Sep 2022 — A vulnerability was found in the search-api container in Red Hat Advanced Cluster Management for Kubernetes when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing special characters that lead to crashing the pod and affects system availability while restarting. Se encontró una vulnerabilidad en el contenedor search-api en Red Hat Advanced Cluster Management for Kubernetes cuando una consulta en el filtro de búsqueda es analizada por el... • https://access.redhat.com/security/cve/CVE-2022-2238 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-400: Uncontrolled Resource Consumption •