Redhat Openshift Container Platform For Power vulnerabilities

CVE-2025-13601 [HIGH] CWE-190 CVE-2025-13601: A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer si A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off t

CVE-2025-6021 [HIGH] CWE-787 CVE-2025-6021: A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calcula A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

CVE-2024-9676 [MEDIUM] CWE-22 CVE-2024-9676: A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the co A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/sto

CVE-2024-8883 [MEDIUM] CWE-601 CVE-2024-8883: A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

CVE-2024-4629 [MEDIUM] CWE-837 CVE-2024-4629: A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection b A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses

CVE-2024-1132 [HIGH] CWE-22 CVE-2024-1132: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URI

CVE-2024-1725 [MEDIUM] CWE-501 CVE-2024-1725: A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (H A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node.

CVE-2024-1635 [HIGH] CWE-400 CVE-2024-1635: A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the

CVE-2023-6291 [HIGH] CWE-601 CVE-2023-6291: A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

CVE-2023-2585 [LOW] CWE-358 CVE-2023-2585: Keycloak's device authorization grant does not correctly validate the device code and client ID. An Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

CVE-2023-6563 [HIGH] CWE-770 CVE-2023-6563: An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge

CVE-2023-6134 [MEDIUM] CWE-79 CVE-2023-6134: A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildc A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

CVE-2023-5625 [MEDIUM] CVE-2023-5625: A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch app A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.

CVE-2023-3223 [HIGH] CWE-789 CVE-2023-3223: A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to nu

CVE-2022-4318 [HIGH] CWE-538 CVE-2022-4318: A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/pass A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.

CVE-2022-4039 [HIGH] CWE-276 CVE-2022-4039: A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.

CVE-2022-3916 [MEDIUM] CWE-384 CVE-2022-3916: A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared co A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authen

CVE-2023-1108 [HIGH] CWE-835 CVE-2023-1108: A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unex A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

CVE-2022-4361 [CRITICAL] CWE-81 CVE-2022-4361: Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) v Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

CVE-2023-3089 [HIGH] CWE-693 CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.