Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift Devspaces
Subscriptions
Total
49 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3635 | 2 Redhat, Squareup | 6 Amq Streams, Jboss Enterprise Bpms Platform, Jboss Fuse and 3 more | 2024-11-21 | 5.9 Medium |
| GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class. | ||||
| CVE-2023-3089 | 1 Redhat | 18 Acm, Amq Streams, Container Native Virtualization and 15 more | 2024-11-21 | 7 High |
| A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. | ||||
| CVE-2022-46175 | 3 Fedoraproject, Json5, Redhat | 9 Fedora, Json5, Logging and 6 more | 2024-11-21 | 7.1 High |
| JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later. | ||||
| CVE-2022-28948 | 3 Netapp, Redhat, Yaml Project | 4 Astra Trident, Cryostat, Openshift Devspaces and 1 more | 2024-11-21 | 7.5 High |
| An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. | ||||
| CVE-2021-0341 | 2 Google, Redhat | 7 Android, Amq Streams, Jboss Data Grid and 4 more | 2024-11-21 | 7.5 High |
| In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069 | ||||
| CVE-2024-21534 | 2 Jsonpath-plus, Redhat | 3 Jsonpath, Openshift Devspaces, Rhdh | 2024-11-18 | 9.8 Critical |
| All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226). | ||||
| CVE-2024-45410 | 2 Redhat, Traefik | 2 Openshift Devspaces, Traefik | 2024-09-25 | 9.8 Critical |
| Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-45813 | 1 Redhat | 3 Acm, Multicluster Engine, Openshift Devspaces | 2024-09-20 | 5.3 Medium |
| find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue. | ||||
| CVE-2024-39338 | 2 Axios, Redhat | 8 Axios, Discovery, Network Observ Optr and 5 more | 2024-08-23 | 4 Medium |
| axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. | ||||