CVSS: 8.3EPSS: 0%CPEs: 43EXPL: 0CVE-2024-3727 – Containers/image: digest type does not guarantee valid type
https://notcve.org/view.php?id=CVE-2024-3727
09 May 2024 — A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. Se encontró una falla en la librería github.com/containers/image. Esta falla permite a los atacantes activar accesos inesperados al registro autenticado en nombre de un usuario víctima, lo que provoca agotamiento de recursos, path traversal local y otros ataques. Red Hat ... • https://access.redhat.com/errata/RHSA-2024:0045 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 7.8EPSS: 80%CPEs: 444EXPL: 16CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-3684
https://notcve.org/view.php?id=CVE-2021-3684
24 Mar 2023 — A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user. • https://bugzilla.redhat.com/show_bug.cgi?id=1985962 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20198 – openshift/installer: Bootstrap nodes allow anonymous authentication on kubelet port 10250
https://notcve.org/view.php?id=CVE-2021-20198
08 Feb 2021 — A flaw was found in the OpenShift Installer before version v0.9.0-master.0.20210125200451-95101da940b0. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. The highest threat from this vulnerability is to data confidentiality and integrity as wel... • https://bugzilla.redhat.com/show_bug.cgi?id=1920764 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 1%CPEs: 61EXPL: 0CVE-2019-14379 – jackson-databind: default typing mishandling leading to remote code execution
https://notcve.org/view.php?id=CVE-2019-14379
29 Jul 2019 — SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. El archivo SubTypeValidator.java en jackson-databind de FasterXML en versiones anteriores a la 2.9.9.2 maneja inapropiadamente la escritura predeterminada cuando se usa ehcache (debido a net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), lo que conlleva a la ejecuc... • http://seclists.org/fulldisclosure/2022/Mar/23 • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 12%CPEs: 58EXPL: 0CVE-2018-14718 – jackson-databind: arbitrary code execution in slf4j-ext class
https://notcve.org/view.php?id=CVE-2018-14718
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malic... • http://www.securityfocus.com/bid/106601 • CWE-502: Deserialization of Untrusted Data •