Filtered by vendor Redhat Subscriptions
Filtered by product Advanced Cluster Security Subscriptions
Total 72 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-33197 2 Golang, Redhat 11 Go, Advanced Cluster Security, Container Native Virtualization and 8 more 2024-11-21 5.3 Medium
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-33195 3 Golang, Netapp, Redhat 12 Go, Cloud Insights Telegraf Agent, Advanced Cluster Security and 9 more 2024-11-21 7.3 High
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-32690 2 Helm, Redhat 5 Helm, Acm, Advanced Cluster Security and 2 more 2024-11-21 6.8 Medium
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on.
CVE-2021-31525 3 Fedoraproject, Golang, Redhat 11 Fedora, Go, Advanced Cluster Security and 8 more 2024-11-21 5.9 Medium
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-29923 4 Fedoraproject, Golang, Oracle and 1 more 13 Fedora, Go, Timesten In-memory Database and 10 more 2024-11-21 7.5 High
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
CVE-2021-23820 2 Jsonpointer Project, Redhat 2 Jsonpointer, Advanced Cluster Security 2024-11-21 5.6 Medium
This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.
CVE-2021-23343 2 Path-parse Project, Redhat 7 Path-parse, Acm, Advanced Cluster Security and 4 more 2024-11-21 5.3 Medium
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2020-27304 3 Civetweb Project, Redhat, Siemens 3 Civetweb, Advanced Cluster Security, Sinec Infrastructure Network Services 2024-11-21 9.8 Critical
The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal
CVE-2019-25210 1 Redhat 2 Advanced Cluster Security, Openshift 2024-11-21 9.1 Critical
An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values). Also, it is not the Helm Project's responsibility if a user decides to use --dry-run within a CI/CD environment whose output is visible to unauthorized persons.
CVE-2024-21538 2 Cross-spawn, Redhat 6 Cross-spawn, Advanced Cluster Security, Openshift and 3 more 2024-11-19 7.5 High
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
CVE-2024-48910 2 Cure53, Redhat 3 Dompurify, Advanced Cluster Security, Openshift 2024-11-01 9.1 Critical
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
CVE-2024-45590 3 Expressjs, Openjsf, Redhat 10 Body-parser, Body-parser, Advanced Cluster Security and 7 more 2024-09-20 7.5 High
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.