CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3248 – Openshift api admission checks does not enforce "custom-host" permissions
https://notcve.org/view.php?id=CVE-2022-3248
05 Oct 2023 — A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied. Se encontró una falla en la API de OpenShift, ya que las comprobaciones de admisión no aplican permisos de "custom-host". Este problema podría permitir que un atacante viole los límites, ya que no se aplicarán los permisos. • https://access.redhat.com/security/cve/CVE-2022-3248 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3841 – RHACM: unauthenticated SSRF in console API endpoint
https://notcve.org/view.php?id=CVE-2022-3841
11 Jan 2023 — RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauthenticated users making requests. RHACM: SSRF no autenticado en el endpoint de la API de la consola. Se encontró una vulnerabilidad Server-Side Request Forgery (SSRF) en el endpoint de l... • https://access.redhat.com/security/cve/CVE-2022-3841 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2238 – search-api: SQL injection leads to remote denial of service
https://notcve.org/view.php?id=CVE-2022-2238
01 Sep 2022 — A vulnerability was found in the search-api container in Red Hat Advanced Cluster Management for Kubernetes when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing special characters that lead to crashing the pod and affects system availability while restarting. Se encontró una vulnerabilidad en el contenedor search-api en Red Hat Advanced Cluster Management for Kubernetes cuando una consulta en el filtro de búsqueda es analizada por el... • https://access.redhat.com/security/cve/CVE-2022-2238 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-27191 – golang: crash in a golang.org/x/crypto/ssh server
https://notcve.org/view.php?id=CVE-2022-27191
18 Mar 2022 — The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. El paquete golang.org/x/crypto/ssh anterior a 0.0.0-20220314234659-1baeb1ce4c0b para Go permite a un atacante bloquear un servidor en ciertas circunstancias que implican AddHostKey A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject ... • https://groups.google.com/g/golang-announce • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25688
https://notcve.org/view.php?id=CVE-2020-25688
23 Nov 2020 — A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key to decode API requests that should be protected by TLS sessions, potentially obtaining information they would not otherwise be able to. These certificates are not used for... • https://bugzilla.redhat.com/show_bug.cgi?id=1892551 • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25655 – open-cluster-management: RBAC bypass may disclose cluster secrets to other users
https://notcve.org/view.php?id=CVE-2020-25655
22 Oct 2020 — An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users. Se detectó un problema en la API ManagedClusterView, que podría permitir que sean divulgados secretos a usuarios sin los permisos correctos.... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25655 • CWE-863: Incorrect Authorization •