Filtered by vendor Redhat
Subscribe
Total
5572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-1733 | 3 Debian, Fedoraproject, Redhat | 6 Debian Linux, Fedora, Ansible and 3 more | 2023-11-07 | 3.7 LOW | 5.0 MEDIUM |
| A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'. | |||||
| CVE-2020-1732 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Continuous Delivery, Openshift Application Runtimes and 1 more | 2023-11-07 | 4.9 MEDIUM | 4.2 MEDIUM |
| A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request. | |||||
| CVE-2020-1731 | 1 Redhat | 1 Keycloak Operator | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. | |||||
| CVE-2020-1730 | 6 Canonical, Fedoraproject, Libssh and 3 more | 6 Ubuntu Linux, Fedora, Libssh and 3 more | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability. | |||||
| CVE-2020-1728 | 2 Quarkus, Redhat | 2 Quarkus, Keycloak | 2023-11-07 | 5.8 MEDIUM | 5.4 MEDIUM |
| A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. | |||||
| CVE-2020-1727 | 1 Redhat | 1 Keycloak | 2023-11-07 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients. | |||||
| CVE-2020-1724 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Single Sign-on | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. | |||||
| CVE-2020-1720 | 2 Postgresql, Redhat | 4 Postgresql, Decision Manager, Enterprise Linux and 1 more | 2023-11-07 | 3.5 LOW | 6.5 MEDIUM |
| A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17. | |||||
| CVE-2020-1718 | 1 Redhat | 3 Jboss Fuse, Keycloak, Openshift Application Runtimes | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. | |||||
| CVE-2020-1712 | 3 Debian, Redhat, Systemd Project | 7 Debian Linux, Ceph Storage, Discovery and 4 more | 2023-11-07 | 4.6 MEDIUM | 7.8 HIGH |
| A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. | |||||
| CVE-2020-1711 | 4 Debian, Opensuse, Qemu and 1 more | 5 Debian Linux, Leap, Qemu and 2 more | 2023-11-07 | 6.0 MEDIUM | 6.0 MEDIUM |
| An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. | |||||
| CVE-2020-1704 | 1 Redhat | 1 Openshift Service Mesh | 2023-11-07 | 4.6 MEDIUM | 7.8 HIGH |
| An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. | |||||
| CVE-2020-1700 | 4 Canonical, Ceph, Opensuse and 1 more | 4 Ubuntu Linux, Ceph, Leap and 1 more | 2023-11-07 | 6.8 MEDIUM | 6.5 MEDIUM |
| A flaw was found in the way the Ceph RGW Beast front-end handles unexpected disconnects. An authenticated attacker can abuse this flaw by making multiple disconnect attempts resulting in a permanent leak of a socket connection by radosgw. This flaw could lead to a denial of service condition by pile up of CLOSE_WAIT sockets, eventually leading to the exhaustion of available resources, preventing legitimate users from connecting to the system. | |||||
| CVE-2020-1699 | 2 Linuxfoundation, Redhat | 2 Ceph, Ceph Storage | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| A path traversal flaw was found in the Ceph dashboard implemented in upstream versions v14.2.5, v14.2.6, v15.0.0 of Ceph storage and has been fixed in versions 14.2.7 and 15.1.0. An unauthenticated attacker could use this flaw to cause information disclosure on the host machine running the Ceph dashboard. | |||||
| CVE-2020-1698 | 1 Redhat | 1 Keycloak | 2023-11-07 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2020-1697 | 1 Redhat | 2 Keycloak, Single Sign-on | 2023-11-07 | 3.5 LOW | 5.4 MEDIUM |
| It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. | |||||
| CVE-2020-1695 | 2 Fedoraproject, Redhat | 2 Fedora, Resteasy | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed. | |||||
| CVE-2020-1693 | 1 Redhat | 1 Spacewalk | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server. | |||||
| CVE-2020-15136 | 2 Fedoraproject, Redhat | 2 Fedora, Etcd | 2023-11-07 | 5.8 MEDIUM | 6.5 MEDIUM |
| In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality. | |||||
| CVE-2020-15115 | 2 Fedoraproject, Redhat | 2 Fedora, Etcd | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort. | |||||