| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Openshift has shell command injection flaws due to unsanitized data being passed into shell commands. |
| Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS. |
| Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine. |
| QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process. |
| Foreman has improper input validation which could lead to partial Denial of Service |
| The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the rbac_user_edit action. |
| Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly. |
| It was reported that watchman in openshift node-utils creates /var/run/watchman.pid and /var/log/watchman.ouput with world writable permission. |
| katello-headpin is vulnerable to CSRF in REST API |
| OpenShift: Install script has temporary file creation vulnerability which can result in arbitrary code execution |
| perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input. |
| node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware |
| JBossWeb Bayeux has reflected XSS |
| Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits |
| Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents |
| The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket. |
| Cache Poisoning issue exists in DNS Response Rate Limiting. |
| The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. |
| php-symfony2-Validator has loss of information during serialization |
| In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file. This may lead to loss of confidentiality and integrity. |
