Red Hat Openshift

The HTTP/2 protocol

CVE-2023-44487 7.5 - High - October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Resource Exhaustion

A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11

CVE-2023-0229 6.3 - Medium - January 26, 2023

A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default," allowing users to disable seccomp for pods they can create and modify.

The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component

CVE-2023-0296 5.3 - Medium - January 17, 2023

The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy, hence this port might be considered as still vulnerable to the same type of vulnerability. The health checks on etcd grpc-proxy do not contain sensitive data (only metrics data), therefore the potential impact related to this vulnerability is minimal. The CVE-2023-0296 has been assigned to this issue to track the permanent fix in the etcd component.

Use of a Broken or Risky Cryptographic Algorithm

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may

CVE-2022-3259 7.4 - High - December 09, 2022

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.

Improper Initialization

A flaw was found in Openshift

CVE-2022-3262 8.1 - High - December 08, 2022

A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability.

Insecure Default Initialization of Resource

The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack

CVE-2022-3260 4.8 - Medium - December 08, 2022

The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack.. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.

Clickjacking

The deployment script in the unsupported "OpenShift Extras" set of add-on scripts

CVE-2013-4253 7.5 - High - October 19, 2022

The deployment script in the unsupported "OpenShift Extras" set of add-on scripts, in Red Hat Openshift 1, installs a default public key in the root user's authorized_keys file.

Exposure of Resource to Wrong Sphere

In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could

CVE-2013-4281 5.5 - Medium - October 19, 2022

In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could allow users with local access to the broker to read this file.

Incorrect Default Permissions

An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift

CVE-2017-7517 3.5 - Low - October 17, 2022

An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift. If a user creates a project called "MyProject", and then later deletes it another user can then create a project called "MyProject" and access the metrics stored from the original "MyProject" instance.

Improper Input Validation

A credentials leak was found in the OpenShift Container Platform

CVE-2022-2403 6.5 - Medium - September 01, 2022

A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete

CVE-2021-4125 8.1 - High - August 24, 2022

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.

Marshaling, Unmarshaling

A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap

CVE-2021-3697 7 - High - July 06, 2022

A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. To a successful to be performed the attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.

Memory Corruption

A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader

CVE-2021-3696 4.5 - Medium - July 06, 2022

A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be considered Low as it's very complex to an attacker control the encoding and positioning of corrupted Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.

Memory Corruption

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area

CVE-2021-3695 4.5 - Medium - July 06, 2022

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. An attacker may take advantage of that to cause heap data corruption or eventually arbitrary code execution and circumvent secure boot protections. This issue has a high complexity to be exploited as an attacker needs to perform some triage over the heap layout to achieve signifcant results, also the values written into the memory are repeated three times in a row making difficult to produce valid payloads. This flaw affects grub2 versions prior grub-2.12.

Memory Corruption

In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file

CVE-2013-4561 9.1 - Critical - June 30, 2022

In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file. This may lead to loss of confidentiality and integrity.

Exposure of Resource to Wrong Sphere

The release of OpenShift 4.9.6 included four CVE fixes for the haproxy package, however the patch for CVE-2021-39242 was missing

CVE-2021-4047 7.5 - High - April 11, 2022

The release of OpenShift 4.9.6 included four CVE fixes for the haproxy package, however the patch for CVE-2021-39242 was missing. This issue only affects Red Hat OpenShift 4.9.

Improper Input Validation

It was found in OpenShift, before version 4.8

CVE-2021-3636 4.6 - Medium - July 30, 2021

It was found in OpenShift, before version 4.8, that the generated certificate for the in-cluster Service CA, incorrectly included additional certificates. The Service CA is automatically mounted into all pods, allowing them to safely connect to trusted in-cluster services that present certificates signed by the trusted Service CA. The incorrect inclusion of additional CAs in this certificate would allow an attacker that compromises any of the additional CAs to masquerade as a trusted in-cluster service.

authentification

An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift

CVE-2020-35514 7 - High - June 02, 2021

An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift. This flaw allows an attacker with access to a running container which mounts /etc/kubernetes or has local access to the node, to copy this kubeconfig file and attempt to add their own node to the OpenShift cluster. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects versions before openshift4/ose-machine-config-operator v4.7.0-202105111858.p0.

Incorrect Privilege Assignment

A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage

CVE-2020-1761 6.1 - Medium - May 27, 2021

A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage. An attacker can use this flaw to get the access token via physical access, or an XSS attack on the victim's browser. This flaw affects openshift/console versions before openshift/console-4.

An insecure modification vulnerability in the /etc/passwd file was found in the container operator-framework/operator-metering as shipped in Red Hat Openshift 4

CVE-2019-19349 7.8 - High - March 24, 2021

An insecure modification vulnerability in the /etc/passwd file was found in the container operator-framework/operator-metering as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Incorrect Privilege Assignment

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ansible-service-broker as shipped in Red Hat Openshift 4 and 3.11

CVE-2019-19350 7.8 - High - March 24, 2021

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ansible-service-broker as shipped in Red Hat Openshift 4 and 3.11. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Incorrect Privilege Assignment

A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey

CVE-2019-10225 6.3 - Medium - March 19, 2021

A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files.

Insufficiently Protected Credentials

A content spoofing vulnerability was found in the openshift/console 3.11 and 4.x

CVE-2020-10715 4.3 - Medium - September 16, 2020

A content spoofing vulnerability was found in the openshift/console 3.11 and 4.x. This flaw allows an attacker to craft a URL and inject arbitrary text onto the error page that appears to be from the OpenShift instance. This attack could potentially convince a user that the inserted text is legitimate.

Improper Input Validation

A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can

CVE-2020-1759 6.8 - Medium - April 13, 2020

A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can allow an attacker to forge auth tags and potentially manipulate the data by leveraging the reuse of a nonce in a session. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks.

Reusing a Nonce, Key Pair in Encryption

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mariadb-apb

CVE-2019-19346 7 - High - April 02, 2020

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mariadb-apb, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4 . An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Improper Privilege Management

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/apb-base

CVE-2019-19348 7 - High - April 02, 2020

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/apb-base, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Improper Privilege Management

A vulnerability was found in all openshift/mediawiki 4.x.x versions prior to 4.3.0

CVE-2020-1709 7.8 - High - March 20, 2020

A vulnerability was found in all openshift/mediawiki 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the openshift/mediawiki. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Incorrect Permission Assignment for Critical Resource

A vulnerability was found in all openshift/mediawiki-apb 4.x.x versions prior to 4.3.0

CVE-2019-19345 7.8 - High - March 20, 2020

A vulnerability was found in all openshift/mediawiki-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mediawiki-apb. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Incorrect Privilege Assignment

A vulnerability was found in all openshift/postgresql-apb 4.x.x versions prior to 4.3.0

CVE-2020-1707 7 - High - March 20, 2020

A vulnerability was found in all openshift/postgresql-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/postgresql-apb. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Incorrect Permission Assignment for Critical Resource

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk

CVE-2019-19355 7 - High - March 18, 2020

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the openshift/ansible-operator-container as shipped in Openshift 4.

Incorrect Privilege Assignment

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins

CVE-2019-19351 7 - High - March 18, 2020

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the openshift/jenkins-slave-base-rhel7-containera as shipped in Openshift 4 and 3.11.

Incorrect Privilege Assignment

During installation of an OpenShift 4 cluster

CVE-2019-19335 4.4 - Medium - March 18, 2020

During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin-password` files. Both files contain credentials used to authenticate to the OpenShift API server, and are incorrectly assigned word-readable permissions. ose-installer as shipped in Openshift 4.2 is vulnerable.

Incorrect Permission Assignment for Critical Resource

Nokogiri before 1.5.4 is vulnerable to XXE attacks

CVE-2012-6685 7.5 - High - February 19, 2020

Nokogiri before 1.5.4 is vulnerable to XXE attacks

XEE

The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which

CVE-2014-0234 9.8 - Critical - February 12, 2020

The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which allows remote attackers to hijack the broker by providing this password, related to the openshift.sh script in Openshift Extras before 20130920. NOTE: this may overlap CVE-2013-4253 and CVE-2013-4281.

Insecure Default Initialization of Resource

mcollective has a default password set at install

CVE-2014-0175 9.8 - Critical - December 13, 2019

mcollective has a default password set at install

Use of Hard-coded Credentials

cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in OpenShift does not properly create files in /tmp.

CVE-2013-0165 7.3 - High - November 01, 2019

cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in OpenShift does not properly create files in /tmp.

Improper Input Validation

A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3

CVE-2019-14845 5.3 - Medium - October 08, 2019

A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content.

Download of Code Without Integrity Check

On version 1.9.0

CVE-2019-6648 4.4 - Medium - September 04, 2019

On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by an AS3 Declaration.

Insertion of Sensitive Information into Log File

A vulnerability exists in the garbage collection mechanism of atomic-openshift

CVE-2019-3884 5.4 - Medium - August 01, 2019

A vulnerability exists in the garbage collection mechanism of atomic-openshift. An attacker able spoof the UUID of a valid object from another namespace is able to delete children of those objects. Versions 3.6, 3.7, 3.8, 3.9, 3.10, 3.11 and 4.1 are affected.

Authentication Bypass by Spoofing

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access

CVE-2019-5736 8.6 - High - February 11, 2019

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Shell injection

A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2

CVE-2018-14645 7.5 - High - September 21, 2018

A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.

Out-of-bounds Read

It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields

CVE-2016-7075 8.1 - High - September 10, 2018

It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.

Improper Certificate Validation

An input validation flaw was found in the way OpenShift 3 handles requests for images

CVE-2016-8651 3.5 - Low - August 01, 2018

An input validation flaw was found in the way OpenShift 3 handles requests for images. A user, with a copy of the manifest associated with an image, can pull an image even if they do not have access to the image normally, resulting in the disclosure of any information contained within the image.

Improper Input Validation

The OpenShift Enterprise 3 router does not properly sort routes when processing newly added routes

CVE-2016-8631 7.7 - High - July 31, 2018

The OpenShift Enterprise 3 router does not properly sort routes when processing newly added routes. An attacker with access to create routes can potentially overwrite existing routes and redirect network traffic for other users to their own site.

Improper Input Validation

The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example

CVE-2017-15137 5.3 - Medium - July 16, 2018

The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.

Improper Input Validation

A flaw was found in ansible

CVE-2018-10875 7.8 - High - July 13, 2018

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

Untrusted Path

In atomic-openshift before version 3.10.9 a malicious network-policy configuration

CVE-2018-10885 7.5 - High - July 05, 2018

In atomic-openshift before version 3.10.9 a malicious network-policy configuration can cause Openshift Routing to crash when using ovs-networkpolicy plugin. An attacker can use this flaw to cause a Denial of Service (DoS) attack on an Openshift 3.9, or 3.7 Cluster.

Improper Input Validation

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions

CVE-2018-1257 6.5 - Medium - May 11, 2018

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389)

CVE-2017-2611 4.3 - Medium - May 08, 2018

Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.

AuthZ

A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x

CVE-2018-1102 8.8 - High - April 30, 2018

A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation.

Improper Input Validation

The DPDK vhost-user interface does not check to verify

CVE-2018-1059 6.1 - Medium - April 24, 2018

The DPDK vhost-user interface does not check to verify that all the requested guest physical range is mapped and contiguous when performing Guest Physical Addresses to Host Virtual Addresses translations. This may lead to a malicious guest exposing vhost-user backend process memory. All versions before 18.02.1 are vulnerable.

Information Disclosure

Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems

CVE-2018-1069 7.1 - High - March 09, 2018

Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems. An attacker could override the UserId and GroupId for GlusterFS and NFS to read and write any data on the network filesystem.

Incorrect Permission Assignment for Critical Resource

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3

CVE-2015-7501 9.8 - Critical - November 09, 2017

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Marshaling, Unmarshaling

Kubernetes in OpenShift3

CVE-2015-7561 3.1 - Low - August 07, 2017

Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.

Permissions, Privileges, and Access Controls

libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack

CVE-2017-1000376 7 - High - June 19, 2017

libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.

Buffer Overflow

The API server in Kubernetes, as used in Red Hat OpenShift Enterprise 3.2, in a multi tenant environment

CVE-2016-5392 6.5 - Medium - August 05, 2016

The API server in Kubernetes, as used in Red Hat OpenShift Enterprise 3.2, in a multi tenant environment allows remote authenticated users with knowledge of other project names to obtain sensitive project and user information via vectors related to the watch-cache list.

Information Disclosure

Red Hat OpenShift Enterprise 3.2

CVE-2016-2149 6.5 - Medium - June 08, 2016

Red Hat OpenShift Enterprise 3.2 allows remote authenticated users to read log files from another namespace by using the same name as a previously deleted namespace when creating a new namespace.

Information Disclosure

Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on the /etc/origin/master/master-config.yaml configuration file, which

CVE-2016-2142 5.5 - Medium - June 08, 2016

Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on the /etc/origin/master/master-config.yaml configuration file, which allows local users to obtain Active Directory credentials by reading the file.

Information Disclosure

Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which

CVE-2016-3703 5.3 - Medium - June 08, 2016

Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which allows remote attackers to access API credentials in the web browser localStorage via an access_token in the query parameter.

Authorization

Red Hat OpenShift Enterprise 3.2, when multi-tenant SDN is enabled and a build is run in a namespace

CVE-2016-3708 7.1 - High - June 08, 2016

Red Hat OpenShift Enterprise 3.2, when multi-tenant SDN is enabled and a build is run in a namespace that would normally be isolated from pods in other namespaces, allows remote authenticated users to access network resources on restricted pods via an s2i build with a builder image that (1) contains ONBUILD commands or (2) does not contain a tar binary.

Authorization

HAproxy in Red Hat OpenShift Enterprise 3.2 and OpenShift Origin

CVE-2016-3711 3.3 - Low - June 08, 2016

HAproxy in Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allows local users to obtain the internal IP address of a pod by reading the "OPENSHIFT_[namespace]_SERVERID" cookie.

Information Disclosure

Red Hat OpenShift Enterprise 3.2 does not properly restrict access to STI builds, which

CVE-2016-3738 8.8 - High - June 08, 2016

Red Hat OpenShift Enterprise 3.2 does not properly restrict access to STI builds, which allows remote authenticated users to access the Docker socket and gain privileges via vectors related to build-pod.

Permissions, Privileges, and Access Controls

Kubernetes before 1.2.0-alpha.5

CVE-2015-7528 5.3 - Medium - April 11, 2016

Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.

Information Disclosure

Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0

CVE-2015-5305 - November 06, 2015

Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.

Directory traversal

rubygem-openshift-origin-console in Red Hat OpenShift 2.2

CVE-2015-5274 - September 18, 2015

rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remote authenticated users to execute arbitrary commands via a crafted request to the Broker.

Command Injection

Red Hat OpenShift Enterprise 3.0.0.0 does not properly check permissions, which

CVE-2015-5222 - August 24, 2015

Red Hat OpenShift Enterprise 3.0.0.0 does not properly check permissions, which allows remote authenticated users with build permissions to execute arbitrary shell commands with root permissions on arbitrary build pods via unspecified vectors.

Permissions, Privileges, and Access Controls

Red Hat OpenShift Enterprise 2.0 and 2.1 and OpenShift Origin allow remote authenticated users to execute arbitrary commands via shell metacharacters in a directory name

CVE-2014-0233 - November 16, 2014

Red Hat OpenShift Enterprise 2.0 and 2.1 and OpenShift Origin allow remote authenticated users to execute arbitrary commands via shell metacharacters in a directory name that is referenced by a cartridge using the file: URI scheme.

Code Injection

Red Hat OpenShift Enterprise before 2.2

CVE-2014-3602 - November 13, 2014

Red Hat OpenShift Enterprise before 2.2 allows local users to obtain IP address and port number information for remote systems by reading /proc/net/tcp.

Permissions, Privileges, and Access Controls

Red Hat OpenShift Enterprise before 2.2 does not properly restrict access to gears, which

CVE-2014-3674 - November 13, 2014

Red Hat OpenShift Enterprise before 2.2 does not properly restrict access to gears, which allows remote attackers to access the network resources of arbitrary gears via unspecified vectors.

Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3

CVE-2014-3680 - October 16, 2014

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Information Disclosure

Jenkins before 1.583 and LTS before 1.565.3

CVE-2014-3663 - October 16, 2014

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3

CVE-2014-3662 - October 16, 2014

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Information Disclosure

Jenkins before 1.583 and LTS before 1.565.3

CVE-2014-3661 - October 16, 2014

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which

CVE-2014-3667 - October 16, 2014

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Information Disclosure

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3

CVE-2014-3681 - October 15, 2014

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

XSS

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3

CVE-2014-3664 - October 15, 2014

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Directory traversal

cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 through 2.1.1

CVE-2014-3496 - June 20, 2014

cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 through 2.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a Source-Url ending with a (1) .tar.gz, (2) .zip, (3) .tgz, or (4) .tar file extension in a cartridge manifest file.

Code Injection

openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which

CVE-2014-0164 - May 05, 2014

openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file.

Cryptographic Issues

The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which

CVE-2014-0188 - April 24, 2014

The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to a passthrough trigger.

authentification

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby

CVE-2013-2119 - January 03, 2014

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.

Permissions, Privileges, and Access Controls

The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Red Hat OpenShift Origin before 1.1

CVE-2013-0164 - February 24, 2013

The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Red Hat OpenShift Origin before 1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

Permissions, Privileges, and Access Controls

node-util/www/html/restorer.php in the Red Hat OpenShift Origin before 1.0.5-3

CVE-2012-5646 - February 24, 2013

node-util/www/html/restorer.php in the Red Hat OpenShift Origin before 1.0.5-3 allows remote attackers to execute arbitrary commands via a crafted uuid in the PATH_INFO.

Improper Input Validation

Cross-site request forgery (CSRF) vulnerability in the management console (openshift-console/app/controllers/application_controller.rb) in OpenShift 0.0.5

CVE-2012-5622 - December 18, 2012

Cross-site request forgery (CSRF) vulnerability in the management console (openshift-console/app/controllers/application_controller.rb) in OpenShift 0.0.5 allows remote attackers to hijack the authentication of arbitrary users via unspecified vectors.

Session Riding