Redhat Openshift Container Platform vulnerabilities

CVE-2019-1010238 [CRITICAL] CWE-787 CVE-2019-1010238: Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer ove Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to funct

CVE-2019-10354 [MEDIUM] CWE-862 CVE-2019-10354: A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earl A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.

CVE-2019-3889 [MEDIUM] CWE-79 CVE-2019-3889: A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform versions: A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform versions: openshift-online-3, openshift-enterprise-3.4 through 3.7 and openshift-enterprise-3.9 through 3.11. An attacker could use this flaw to steal authorization data by getting them to click on a malicious link.

CVE-2018-11307 [CRITICAL] CWE-502 CVE-2018-11307: An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default ty An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

CVE-2019-10150 [MEDIUM] CWE-287 CVE-2019-10150: It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.

CVE-2019-2698 [HIGH] CVE-2019-2698: Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This

CVE-2019-2602 [HIGH] CWE-400 CVE-2019-2602: Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded.

CVE-2019-2684 [MEDIUM] CVE-2019-2684: Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supp Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful

CVE-2019-3899 [CRITICAL] CWE-592 CVE-2019-3899: It was found that default configuration of Heketi does not require any authentication potentially ex It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.

CVE-2019-11244 [MEDIUM] CWE-524 CVE-2019-11244: In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache- In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups

CVE-2019-1003049 [HIGH] CVE-2019-1003049: Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

CVE-2019-1003050 [MEDIUM] CWE-79 CVE-2019-1003050: The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.1 The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

CVE-2019-0211 [HIGH] CWE-416 CVE-2019-0211: In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executi In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are

CVE-2019-3876 [MEDIUM] CWE-352 CVE-2019-3876: A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. If not otherwise prevented, a separate XSS vulnerability via JavaScript could further allow for the extraction of these tokens.

CVE-2019-1002100 [MEDIUM] CWE-770 CVE-2019-1002100: In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a

CVE-2019-1002101 [MEDIUM] CWE-59 CVE-2019-1002101: The kubectl cp command allows copying files between containers and the user machine. To copy files f The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious result

CVE-2019-1003040 [CRITICAL] CWE-470 CVE-2019-1003040: A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers t A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

CVE-2019-1003041 [CRITICAL] CWE-470 CVE-2019-1003041: A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

CVE-2019-3826 [MEDIUM] CWE-79 CVE-2019-3826: A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. A A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.

CVE-2019-7609 [CRITICAL] CWE-94 CVE-2019-7609: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion vis Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host syst