Filtered by vendor Redhat Subscriptions
Filtered by product Logging Subscriptions
Total 126 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-0874 1 Redhat 3 Acm, Logging, Openshift 2024-12-23 5.3 Medium
A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.
CVE-2023-44487 32 Akka, Amazon, Apache and 29 more 364 Http Server, Opensearch Data Prepper, Apisix and 361 more 2024-12-20 7.5 High
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2022-25883 2 Npmjs, Redhat 10 Semver, Acm, Enterprise Linux and 7 more 2024-12-06 5.3 Medium
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CVE-2023-26136 2 Redhat, Salesforce 8 Acm, Jboss Enterprise Application Platform, Logging and 5 more 2024-12-03 6.5 Medium
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
CVE-2023-22796 2 Activesupport Project, Redhat 3 Activesupport, Logging, Satellite 2024-11-27 7.5 High
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
CVE-2024-0646 2 Linux, Redhat 8 Linux Kernel, Enterprise Linux, Logging and 5 more 2024-11-25 7 High
An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2024-5037 1 Redhat 4 Logging, Openshift, Openshift Container Platform and 1 more 2024-11-24 7.5 High
A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication.
CVE-2024-0193 2 Linux, Redhat 5 Linux Kernel, Enterprise Linux, Logging and 2 more 2024-11-24 7.8 High
A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.
CVE-2023-4456 1 Redhat 2 Logging, Openshift Logging 2024-11-23 5.7 Medium
A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.
CVE-2024-0567 5 Debian, Fedoraproject, Gnu and 2 more 9 Debian Linux, Fedora, Gnutls and 6 more 2024-11-23 7.5 High
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
CVE-2024-0553 3 Fedoraproject, Gnu, Redhat 6 Fedora, Gnutls, Enterprise Linux and 3 more 2024-11-23 7.5 High
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
CVE-2023-5981 3 Fedoraproject, Gnu, Redhat 7 Fedora, Gnutls, Enterprise Linux and 4 more 2024-11-23 5.9 Medium
A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
CVE-2024-6104 2 Hashicorp, Redhat 11 Retryablehttp, Advanced Cluster Security, Cluster Observability Operator and 8 more 2024-11-21 6 Medium
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
CVE-2024-34158 2 Go Build Constraint, Redhat 11 Go Standard Library, Cryostat, Enterprise Linux and 8 more 2024-11-21 7.5 High
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156 2 Go Standard Library, Redhat 16 Encoding\/gob, Advanced Cluster Security, Cryostat and 13 more 2024-11-21 7.5 High
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155 1 Redhat 13 Cost Management, Cryostat, Enterprise Linux and 10 more 2024-11-21 4.3 Medium
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-28849 1 Redhat 13 Acm, Advanced Cluster Security, Ansible Automation Platform and 10 more 2024-11-21 6.5 Medium
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-28180 1 Redhat 12 Acm, Advanced Cluster Security, Container Native Virtualization and 9 more 2024-11-21 4.3 Medium
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
CVE-2024-24791 2 Go Standard Library, Redhat 16 Net\/http, Container Native Virtualization, Cost Management and 13 more 2024-11-21 7.5 High
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
CVE-2024-24790 2 Golang, Redhat 18 Go, Advanced Cluster Security, Ansible Automation Platform and 15 more 2024-11-21 9.8 Critical
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.