Max CVSS 10.0 Min CVSS 2.1 Total Count112
IDCVSSSummaryLast (major) updatePublished
CVE-2018-18314 7.5
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
07-12-2018 - 16:29 07-12-2018 - 16:29
CVE-2018-18313 6.4
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
07-12-2018 - 16:29 07-12-2018 - 16:29
CVE-2018-18311 7.5
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
07-12-2018 - 16:29 07-12-2018 - 16:29
CVE-2018-18312 7.5
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
05-12-2018 - 17:29 05-12-2018 - 17:29
CVE-2018-1002105 7.5
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server
05-12-2018 - 16:29 05-12-2018 - 16:29
CVE-2018-16863 9.3
It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript d
03-12-2018 - 12:29 03-12-2018 - 12:29
CVE-2018-18955 4.4
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected u
16-11-2018 - 15:29 16-11-2018 - 15:29
CVE-2018-8416 4.0
A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability." This affects .NET Core 2.1.
13-11-2018 - 20:29 13-11-2018 - 20:29
CVE-2018-19211 4.3
In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack.
12-11-2018 - 14:29 12-11-2018 - 14:29
CVE-2018-11759 None
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs sup
31-10-2018 - 16:29 31-10-2018 - 16:29
CVE-2018-18281 4.6
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain f
30-10-2018 - 14:29 30-10-2018 - 14:29
CVE-2018-6559 2.1
The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace.
26-10-2018 - 13:29 26-10-2018 - 13:29
CVE-2018-18653 7.2
The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a m
25-10-2018 - 20:29 25-10-2018 - 20:29
CVE-2018-18445 7.2
In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bi
17-10-2018 - 15:29 17-10-2018 - 15:29
CVE-2018-17972 4.9
An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwindi
03-10-2018 - 18:29 03-10-2018 - 18:29
CVE-2018-3830 4.3
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
19-09-2018 - 15:29 19-09-2018 - 15:29
CVE-2016-7075 6.8
It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509
10-09-2018 - 10:29 10-09-2018 - 10:29
CVE-2018-14632 4.0
An out of bound write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service whi
06-09-2018 - 10:29 06-09-2018 - 10:29
CVE-2016-1000232 5.0
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulne
05-09-2018 - 13:29 05-09-2018 - 13:29
CVE-2018-16509 9.3
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instr
05-09-2018 - 02:29 05-09-2018 - 02:29
CVE-2018-16429 5.0
GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().
03-09-2018 - 20:29 03-09-2018 - 20:29
CVE-2018-7166 5.0
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `e
21-08-2018 - 09:29 21-08-2018 - 08:29
CVE-2018-12115 5.0
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a
21-08-2018 - 09:29 21-08-2018 - 08:29
CVE-2016-8651 2.7
An input validation flaw was found in the way OpenShift 3 handles requests for images. A user, with a copy of the manifest associated with an image, can pull an image even if they do not have access to the image normally, resulting in the disclosure
01-08-2018 - 12:29 01-08-2018 - 12:29
CVE-2016-8631 4.0
The OpenShift Enterprise 3 router does not properly sort routes when processing newly added routes. An attacker with access to create routes can potentially overwrite existing routes and redirect network traffic for other users to their own site.
31-07-2018 - 16:29 31-07-2018 - 16:29
CVE-2016-8628 9.0
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansibl
31-07-2018 - 16:29 31-07-2018 - 16:29
CVE-2017-12195 5.8
A flaw was found in all Openshift Enterprise versions using the openshift elasticsearch plugin. An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication
27-07-2018 - 11:29 27-07-2018 - 11:29
CVE-2017-7481 7.5
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting
19-07-2018 - 09:29 19-07-2018 - 09:29
CVE-2018-10843 9.0
source-to-image component of Openshift Container Platform before versions atomic-openshift 3.7.53, atomic-openshift 3.9.31 is vulnerable to a privilege escalation which allows the assemble script to run as the root user in a non-privileged container.
02-07-2018 - 13:29 02-07-2018 - 13:29
CVE-2017-7466 8.5
Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could
22-06-2018 - 09:29 22-06-2018 - 09:29
CVE-2016-1000023 None
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-10540. Reason: This candidate is a reservation duplicate of CVE-2016-10540. Notes: All CVE users should reference CVE-2016-10540 instead of this candidate. All references and desc
17-06-2018 - 16:29 17-06-2018 - 16:29
CVE-2018-1085 10.0
openshift-ansible before versions 3.9.23, 3.7.46 deploys a misconfigured etcd file that causes the SSL client certificate authentication to be disabled. Quotations around the values of ETCD_CLIENT_CERT_AUTH and ETCD_PEER_CLIENT_CERT_AUTH in etcd.conf
15-06-2018 - 09:29 15-06-2018 - 09:29
CVE-2018-1070 5.0
routing before version 3.10 is vulnerable to an improper input validation of the Openshift Routing configuration which can cause an entire shard to be brought down. A malicious user can use this vulnerability to cause a Denial of Service attack for o
12-06-2018 - 09:29 12-06-2018 - 09:29
CVE-2018-0732 5.0
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime result
12-06-2018 - 09:29 12-06-2018 - 09:29
CVE-2018-1102 6.5
A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation.
30-04-2018 - 15:29 30-04-2018 - 15:29
CVE-2016-9587 9.3
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to th
24-04-2018 - 12:29 24-04-2018 - 12:29
CVE-2017-1002102 6.3
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are ru
13-03-2018 - 13:29 13-03-2018 - 13:29
CVE-2017-1002101 5.5
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outs
13-03-2018 - 13:29 13-03-2018 - 13:29
CVE-2015-7501 10.0
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x
09-11-2017 - 12:29 09-11-2017 - 12:29
CVE-2014-3566 4.3
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
23-03-2017 - 21:59 14-10-2014 - 20:55
CVE-2015-5254 7.5
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
07-02-2017 - 21:59 08-01-2016 - 14:59
CVE-2014-3577 5.8
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName fi
10-01-2017 - 21:59 21-08-2014 - 10:55
CVE-2014-3496 10.0
cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 through 2.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a Source-Url ending with a (1) .tar.gz, (2) .zip, (3) .tgz, or (4) .tar file extension in
06-01-2017 - 22:00 20-06-2014 - 10:55
CVE-2016-2074 7.5
Buffer overflow in lib/flow.c in ovs-vswitchd in Open vSwitch 2.2.x and 2.3.x before 2.3.3 and 2.4.x before 2.4.1 allows remote attackers to execute arbitrary code via crafted MPLS packets, as demonstrated by a long string in an ovs-appctl command.
03-01-2017 - 21:59 03-07-2016 - 17:59
CVE-2014-8111 5.0
Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.
30-12-2016 - 21:59 21-04-2015 - 13:59
CVE-2015-3281 5.0
The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1.6-dev does not properly realign a buffer that is used for pending outgoing data, which allows remote attackers to obtain sensitive information (uninitialized memory contents of pre
27-12-2016 - 21:59 06-07-2015 - 11:59
CVE-2013-2175 5.0
HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP hea
07-12-2016 - 18:43 19-08-2013 - 09:07
CVE-2015-8103 7.5
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the
07-12-2016 - 13:26 25-11-2015 - 15:59
CVE-2013-2119 4.6
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tm
06-12-2016 - 14:05 03-01-2014 - 13:54
CVE-2016-5418 5.0
The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.
28-11-2016 - 15:25 21-09-2016 - 10:25
CVE-2016-5325 4.3
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response s
28-11-2016 - 15:24 10-10-2016 - 12:59
CVE-2013-4152 6.8
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF at
28-11-2016 - 14:09 23-01-2014 - 16:55
CVE-2016-5392 6.8
The API server in Kubernetes, as used in Red Hat OpenShift Enterprise 3.2, in a multi tenant environment allows remote authenticated users with knowledge of other project names to obtain sensitive project and user information via vectors related to t
05-08-2016 - 14:46 05-08-2016 - 11:59
CVE-2016-3727 4.0
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vect
14-07-2016 - 16:56 17-05-2016 - 10:08
CVE-2016-3726 5.8
Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.
14-07-2016 - 16:52 17-05-2016 - 10:08
CVE-2016-3725 5.0
Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service
14-07-2016 - 16:52 17-05-2016 - 10:08
CVE-2016-3724 4.0
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.
14-07-2016 - 16:51 17-05-2016 - 10:08
CVE-2016-3723 4.0
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.
14-07-2016 - 16:47 17-05-2016 - 10:08
CVE-2016-3722 4.0
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."
14-07-2016 - 16:47 17-05-2016 - 10:08
CVE-2016-3721 4.0
Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.
14-07-2016 - 16:46 17-05-2016 - 10:08
CVE-2016-0792 9.0
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
14-07-2016 - 16:42 07-04-2016 - 19:59
CVE-2016-0791 7.5
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.
14-07-2016 - 16:42 07-04-2016 - 19:59
CVE-2016-0790 5.0
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.
14-07-2016 - 16:41 07-04-2016 - 19:59
CVE-2016-0789 4.3
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
14-07-2016 - 16:41 07-04-2016 - 19:59
CVE-2016-0788 10.0
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
14-07-2016 - 15:03 07-04-2016 - 19:59
CVE-2015-5318 6.8
Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.
15-06-2016 - 13:14 25-11-2015 - 15:59
CVE-2015-5319 5.0
XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstr
15-06-2016 - 13:13 25-11-2015 - 15:59
CVE-2015-5317 5.0
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
15-06-2016 - 13:13 25-11-2015 - 15:59
CVE-2015-1814 7.5
The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.
15-06-2016 - 13:04 16-10-2015 - 16:59
CVE-2015-1812 4.3
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.
15-06-2016 - 13:02 16-10-2015 - 16:59
CVE-2015-1808 3.5
Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.
15-06-2016 - 13:01 16-10-2015 - 16:59
CVE-2015-1807 3.5
Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.
15-06-2016 - 12:58 16-10-2015 - 16:59
CVE-2015-1806 6.5
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.
15-06-2016 - 12:48 16-10-2015 - 16:59
CVE-2015-7528 5.0
Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.
15-06-2016 - 12:32 11-04-2016 - 17:59
CVE-2015-1813 4.3
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.
15-06-2016 - 10:35 16-10-2015 - 16:59
CVE-2015-1810 4.6
The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserve
15-06-2016 - 10:35 16-10-2015 - 16:59
CVE-2016-1906 10.0
Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.
15-06-2016 - 08:42 03-02-2016 - 13:59
CVE-2016-1905 4.0
The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.
15-06-2016 - 08:32 03-02-2016 - 13:59
CVE-2015-5320 5.0
Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leverag
13-06-2016 - 20:52 25-11-2015 - 15:59
CVE-2015-5321 5.0
The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.
13-06-2016 - 20:51 25-11-2015 - 15:59
CVE-2015-5322 5.0
Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.
13-06-2016 - 20:49 25-11-2015 - 15:59
CVE-2015-5323 6.5
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.
13-06-2016 - 20:48 25-11-2015 - 15:59
CVE-2015-5324 5.0
Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.
13-06-2016 - 20:20 25-11-2015 - 15:59
CVE-2015-5325 7.5
Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.
13-06-2016 - 20:19 25-11-2015 - 15:59
CVE-2015-5326 4.3
Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.
13-06-2016 - 20:15 25-11-2015 - 15:59
CVE-2015-7537 6.8
Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method
13-06-2016 - 20:13 03-02-2016 - 13:59
CVE-2015-7538 6.8
Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.
13-06-2016 - 20:10 03-02-2016 - 13:59
CVE-2015-7539 7.6
The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.
13-06-2016 - 20:09 03-02-2016 - 13:59
CVE-2016-3708 5.5
Red Hat OpenShift Enterprise 3.2, when multi-tenant SDN is enabled and a build is run in a namespace that would normally be isolated from pods in other namespaces, allows remote authenticated users to access network resources on restricted pods via a
09-06-2016 - 07:35 08-06-2016 - 13:59
CVE-2016-2142 2.1
Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on the /etc/origin/master/master-config.yaml configuration file, which allows local users to obtain Active Directory credentials by reading the file.
09-06-2016 - 07:29 08-06-2016 - 13:59
CVE-2016-3703 3.5
Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which allows remote attackers to access API credentials in the web brow
09-06-2016 - 07:29 08-06-2016 - 13:59
CVE-2016-2149 4.0
Red Hat OpenShift Enterprise 3.2 allows remote authenticated users to read log files from another namespace by using the same name as a previously deleted namespace when creating a new namespace.
09-06-2016 - 07:25 08-06-2016 - 13:59
CVE-2016-3738 6.5
Red Hat OpenShift Enterprise 3.2 does not properly restrict access to STI builds, which allows remote authenticated users to access the Docker socket and gain privileges via vectors related to build-pod.
09-06-2016 - 07:24 08-06-2016 - 13:59
CVE-2016-2160 9.0
Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allow remote authenticated users to execute commands with root privileges by changing the root password in an sti builder image.
09-06-2016 - 07:22 08-06-2016 - 13:59
CVE-2016-3711 2.1
HAproxy in Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allows local users to obtain the internal IP address of a pod by reading the "OPENSHIFT_[namespace]_SERVERID" cookie.
09-06-2016 - 07:20 08-06-2016 - 13:59
CVE-2014-3674 7.5
Red Hat OpenShift Enterprise before 2.2 does not properly restrict access to gears, which allows remote attackers to access the network resources of arbitrary gears via unspecified vectors.
20-11-2015 - 11:02 13-11-2014 - 16:32
CVE-2014-3602 2.1
Red Hat OpenShift Enterprise before 2.2 allows local users to obtain IP address and port number information for remote systems by reading /proc/net/tcp.
20-11-2015 - 11:01 13-11-2014 - 16:32
CVE-2015-5305 6.4
Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.
09-11-2015 - 08:46 06-11-2015 - 13:59
CVE-2015-5274 6.5
rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remote authenticated users to execute arbitrary commands via a crafted request to the Broker.
22-09-2015 - 14:54 18-09-2015 - 10:59
CVE-2015-5250 4.0
The API server in OpenShift Origin 1.0.5 allows remote attackers to cause a denial of service (master process crash) via crafted JSON data.
09-09-2015 - 13:09 08-09-2015 - 11:59
CVE-2015-5222 8.5
Red Hat OpenShift Enterprise 3.0.0.0 does not properly check permissions, which allows remote authenticated users with build permissions to execute arbitrary shell commands with root permissions on arbitrary build pods via unspecified vectors.
25-08-2015 - 14:20 24-08-2015 - 10:59
CVE-2013-2035 4.4
Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with
17-01-2015 - 21:59 28-08-2013 - 19:55
CVE-2014-0233 6.5
Red Hat OpenShift Enterprise 2.0 and 2.1 and OpenShift Origin allow remote authenticated users to execute arbitrary commands via shell metacharacters in a directory name that is referenced by a cartridge using the file: URI scheme.
17-11-2014 - 12:24 16-11-2014 - 06:59
CVE-2014-0164 2.1
openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information b
30-06-2014 - 14:32 05-05-2014 - 13:06
CVE-2014-0188 7.5
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary
24-04-2014 - 15:06 24-04-2014 - 10:55
CVE-2014-0003 7.5
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.
19-04-2014 - 00:45 21-03-2014 - 00:38
CVE-2013-4073 6.8
The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name fie
01-04-2014 - 02:22 17-08-2013 - 22:52
CVE-2013-4330 6.8
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (1) FILE or (2) FTP producer.
26-03-2014 - 00:50 04-10-2013 - 13:55
CVE-2013-4287 4.3
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote at
05-03-2014 - 23:47 17-10-2013 - 19:55
CVE-2012-2126 4.3
RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack.
13-01-2014 - 23:17 01-10-2013 - 13:55
CVE-2012-2125 5.8
RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.
13-01-2014 - 23:17 01-10-2013 - 13:55
CVE-2013-4136 4.4
ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.
10-10-2013 - 15:09 30-09-2013 - 17:55
Back to Top Mark selected
Back to Top