Filtered by vendor Redhat Subscriptions
Filtered by product Openshift Container Storage Subscriptions
Total 24 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-9355 1 Redhat 21 Amq Streams, Ansible Automation Platform, Container Native Virtualization and 18 more 2024-12-24 6.5 Medium
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.
CVE-2024-1394 1 Redhat 23 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 20 more 2024-12-23 7.5 High
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
CVE-2021-4048 5 Fedoraproject, Julialang, Lapack Project and 2 more 8 Fedora, Julia, Lapack and 5 more 2024-11-21 9.1 Critical
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
CVE-2021-3979 2 Fedoraproject, Redhat 8 Fedora, Ceph Storage, Ceph Storage For Ibm Z Systems and 5 more 2024-11-21 6.5 Medium
A key length flaw was found in Red Hat Ceph Storage. An attacker can exploit the fact that the key length is incorrectly passed in an encryption algorithm to create a non random key, which is weaker and can be exploited for loss of confidentiality and integrity on encrypted disks.
CVE-2021-3529 1 Redhat 3 Noobaa-operator, Openshift Container Platform, Openshift Container Storage 2024-11-21 7.1 High
A flaw was found in noobaa-core in versions before 5.7.0. This flaw results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity.
CVE-2021-3528 1 Redhat 2 Noobaa-operator, Openshift Container Storage 2024-11-21 8.8 High
A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.
CVE-2021-3114 5 Debian, Fedoraproject, Golang and 2 more 13 Debian Linux, Fedora, Go and 10 more 2024-11-21 6.5 Medium
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
CVE-2021-27918 2 Golang, Redhat 4 Go, Enterprise Linux, Openshift Container Storage and 1 more 2024-11-21 7.5 High
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
CVE-2020-8565 2 Kubernetes, Redhat 3 Kubernetes, Openshift Container Storage, Openshift Data Foundation 2024-11-21 4.7 Medium
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.
CVE-2020-8237 2 Json-bigint Project, Redhat 2 Json-bigint, Openshift Container Storage 2024-11-21 7.5 High
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-7774 4 Oracle, Redhat, Siemens and 1 more 7 Graalvm, Enterprise Linux, Openshift and 4 more 2024-11-21 7.3 High
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
CVE-2020-7720 2 Digitalbazaar, Redhat 3 Forge, Ansible Tower, Openshift Container Storage 2024-11-21 9.8 Critical
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
CVE-2020-7608 2 Redhat, Yargs 5 Enterprise Linux, Openshift Container Storage, Quay and 2 more 2024-11-21 5.3 Medium
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
CVE-2020-28362 4 Fedoraproject, Golang, Netapp and 1 more 12 Fedora, Go, Cloud Insights Telegraf Agent and 9 more 2024-11-21 7.5 High
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
CVE-2020-27781 2 Fedoraproject, Redhat 6 Fedora, Ceph, Ceph Storage and 3 more 2024-11-21 7.1 High
User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.
CVE-2020-26301 3 Microsoft, Redhat, Ssh2 Project 3 Windows, Openshift Container Storage, Ssh2 2024-11-21 7.5 High
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.
CVE-2020-26289 2 Date-and-time Project, Redhat 2 Date-and-time, Openshift Container Storage 2024-11-21 7.5 High
date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2.
CVE-2020-26160 2 Jwt-go Project, Redhat 6 Jwt-go, Container Native Virtualization, Cryostat and 3 more 2024-11-21 7.5 High
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
CVE-2020-25677 2 Ceph, Redhat 3 Ceph-ansible, Ceph Storage, Openshift Container Storage 2024-11-21 5.5 Medium
A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality.
CVE-2020-25660 2 Fedoraproject, Redhat 5 Fedora, Ceph, Ceph Storage and 2 more 2024-11-21 8.8 High
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph service via a packet sniffer and perform actions allowed by the Ceph service. This issue is a reintroduction of CVE-2018-1128, affecting the msgr2 protocol. The msgr 2 protocol is used for all communication except older clients that do not support the msgr2 protocol. The msgr1 protocol is not affected. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.