⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2024-25590
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 10 months, 1 week ago
Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor

An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.

pdns-recursor
<4.9.9
<5.0.9
<5.1.2

pkgs.pdns-recursor

Recursive DNS server
Package maintainers: 1
CVE-2024-11407 created 10 months, 1 week ago
Denial of Service through Data corruption in gRPC-C++

There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption issues. The data sent by the application may be corrupted before transmission over the network thus leading the receiver to receive an incorrect set of bytes causing RPC requests to fail. We recommend upgrading past commit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791

grpc
=<1.66.1

pkgs.grpc

C based gRPC (C++, Python, Ruby, Objective-C, PHP, C#)

pkgs.grpcui

Interactive web UI for gRPC, along the lines of postman

pkgs.grpcurl

Like cURL, but for gRPC: Command-line tool for interacting with gRPC servers

pkgs.grpc_cli

Command line tool for interacting with grpc services

pkgs.grpc-tools

Distribution of protoc and the gRPC Node protoc plugin for ease of installation with npm

pkgs.grpc-gateway

A gRPC to JSON proxy generator plugin for Google Protocol Buffers

pkgs.grpc-client-cli

generic gRPC command line client

pkgs.grpc-health-check

Minimal, high performance, memory-friendly, safe implementation of the gRPC health checking protocol

pkgs.kdePackages.qtgrpc

Cross-platform application framework for C++

pkgs.protoc-gen-entgrpc

Generator of an implementation of the service interface for ent protobuff

pkgs.protoc-gen-go-grpc

Go language implementation of gRPC. HTTP/2 based RPC

pkgs.qt6Packages.qtgrpc

Cross-platform application framework for C++

pkgs.protoc-gen-grpc-web

gRPC web support for Google's protocol buffers

pkgs.php81Extensions.grpc

High performance, open source, general RPC framework that puts mobile and HTTP/2 first

pkgs.php82Extensions.grpc

High performance, open source, general RPC framework that puts mobile and HTTP/2 first

pkgs.php83Extensions.grpc

High performance, open source, general RPC framework that puts mobile and HTTP/2 first

pkgs.php84Extensions.grpc

High performance, open source, general RPC framework that puts mobile and HTTP/2 first

pkgs.protoc-gen-rust-grpc

Protobuf plugin for generating Rust code for gRPC

pkgs.python311Packages.grpcio

HTTP/2-based RPC framework

pkgs.python312Packages.grpcio

HTTP/2-based RPC framework

pkgs.python311Packages.grpclib

Pure-Python gRPC implementation for asyncio

pkgs.python312Packages.grpclib

Pure-Python gRPC implementation for asyncio

pkgs.python311Packages.grpcio-gcp

gRPC extensions for Google Cloud Platform

pkgs.python312Packages.grpcio-gcp

gRPC extensions for Google Cloud Platform

pkgs.python311Packages.pytest-grpc

pytest plugin for grpc

pkgs.python312Packages.pytest-grpc

pytest plugin for grpc

pkgs.python311Packages.grpcio-tools

Protobuf code generator for gRPC

pkgs.python312Packages.grpcio-tools

Protobuf code generator for gRPC

pkgs.python311Packages.clarifai-grpc

Clarifai gRPC API Client

pkgs.python311Packages.grpcio-status

GRPC Python status proto mapping

pkgs.python312Packages.clarifai-grpc

Clarifai gRPC API Client

pkgs.python312Packages.grpcio-status

GRPC Python status proto mapping

pkgs.python311Packages.grpcio-testing

Testing utilities for gRPC Python

pkgs.python312Packages.grpcio-testing

Testing utilities for gRPC Python

pkgs.python311Packages.grpcio-channelz

Channel Level Live Debug Information Service for gRPC

pkgs.python312Packages.grpcio-channelz

Channel Level Live Debug Information Service for gRPC

pkgs.python311Packages.grpc-interceptor

Simplified gRPC interceptors

pkgs.python312Packages.grpc-interceptor

Simplified gRPC interceptors

pkgs.python311Packages.grpcio-reflection

Standard Protobuf Reflection Service for gRPC

pkgs.python312Packages.grpcio-reflection

Standard Protobuf Reflection Service for gRPC

pkgs.python311Packages.grpc-google-iam-v1

GRPC library for the google-iam-v1 service

pkgs.python312Packages.grpc-google-iam-v1

GRPC library for the google-iam-v1 service

pkgs.python311Packages.grpcio-health-checking

Standard Health Checking Service for gRPC

pkgs.python312Packages.grpcio-health-checking

Standard Health Checking Service for gRPC

pkgs.python311Packages.opentelemetry-instrumentation-grpc

OpenTelemetry Instrumentation for grpc

pkgs.python312Packages.opentelemetry-instrumentation-grpc

OpenTelemetry Instrumentation for grpc

pkgs.python311Packages.opentelemetry-exporter-otlp-proto-grpc

OpenTelemetry Collector Protobuf over gRPC Exporter

pkgs.python312Packages.opentelemetry-exporter-otlp-proto-grpc

OpenTelemetry Collector Protobuf over gRPC Exporter
Package maintainers: 24
CVE-2024-10041
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 10 months, 1 week ago
Pam: libpam: libpam vulnerable to read hashed password

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

pam
<1.6.0
*

pkgs.pam

Pluggable Authentication Modules, a flexible mechanism for authenticating user

pkgs.ipam

Cli based IPAM written in Go with PowerDNS support

pkgs.opam

Package manager for OCaml

pkgs.paml

Phylogenetic Analysis by Maximum Likelihood (PAML)

pkgs.pamix

Pulseaudio terminal mixer

pkgs.openpam

Open source PAM library that focuses on simplicity, correctness, and cleanliness

pkgs.pam_p11

Authentication with PKCS#11 modules

pkgs.pam_u2f

PAM module for allowing authentication with a U2F device

pkgs.pamixer

Pulseaudio command line mixer

pkgs.pam_krb5

PAM module allowing PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC

pkgs.pam_ldap

LDAP backend for PAM

pkgs.linux-pam

Pluggable Authentication Modules, a flexible mechanism for authenticating user

pkgs.ncpamixer

Terminal mixer for PulseAudio inspired by pavucontrol

pkgs.opam2json

convert opam file syntax to JSON

pkgs.pam_gnupg

Unlock GnuPG keys on login

pkgs.pam_mount

PAM module to mount volumes for a user session

pkgs.pamtester

Utility program to test the PAM facility

pkgs.pam_ccreds

PAM module to locally authenticate using an enterprise identity when the network is unavailable
  • nixos-unstable 10
    • nixos-unstable-small 10
    • nixpkgs-unstable 10

pkgs.pam_mktemp

PAM for login service to provide per-user private directories

pkgs.pam_tmpdir

PAM module for creating safe per-user temporary directories

pkgs.yubico-pam

Yubico PAM module

pkgs.apparmor-pam

Mandatory access control system - PAM service

pkgs.opam-publish

Tool to ease contributions to opam repositories

pkgs.pam-reattach

Reattach to the user's GUI session on macOS during authentication (for Touch ID support in tmux)

pkgs.spamassassin

Open-Source Spam Filter

pkgs.nss_pam_ldapd

LDAP identity and authentication for NSS/PAM

pkgs.libpam-wrapper

Wrapper for testing PAM modules

pkgs.opam-installer

Handle (un)installation from opam install files

pkgs.pam-honeycreds

PAM module that sends warnings when fake passwords are used

pkgs.rspamd-trainer

Grabs messages from a spam mailbox via IMAP and feeds them to Rspamd for training

pkgs.pam_ssh_agent_auth

PAM module for authentication through the SSH agent

pkgs.google-authenticator

Two-step verification, with pam module

pkgs.lua52Packages.lua-pam

Lua module for PAM authentication

pkgs.kdePackages.kwallet-pam

PAM Integration with KWallet - Unlock KWallet when you login

pkgs.opensmtpd-filter-rspamd

OpenSMTPD filter integration for the Rspamd daemon

pkgs.python311Packages.pamqp

RabbitMQ Focused AMQP low-level library

pkgs.python312Packages.pamqp

RabbitMQ Focused AMQP low-level library

pkgs.python311Packages.pamela

PAM interface using ctypes

pkgs.python312Packages.pamela

PAM interface using ctypes

pkgs.python311Packages.pypamtest

Wrapper for testing PAM modules

pkgs.python312Packages.pypamtest

Wrapper for testing PAM modules

pkgs.python311Packages.python-pam

Python pam module

pkgs.python312Packages.python-pam

Python pam module

pkgs.matrix-synapse-plugins.matrix-synapse-pam

PAM auth provider for the Synapse Matrix server

pkgs.matrix-synapse-plugins.matrix-synapse-mjolnir-antispam

AntiSpam / Banlist plugin to be used with mjolnir

pkgs.vscode-extensions.fabiospampinato.vscode-open-in-github

VS Code extension to open the current project or file in github.com
Package maintainers: 51
CVE-2023-6841
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 10 months, 1 week ago
Keycloak: amount of attributes per object is not limited and it may lead to dos

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.

keycloak
<24.0.0
rh-sso7-keycloak

pkgs.keycloak

Identity and access management for modern applications and services
Package maintainers: 3
CVE-2024-1394
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 10 months, 2 weeks ago
Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.

mcg
odo
rhc
etcd
*
helm
rosa
runc
*
cri-o
*
rhcos
*
butane
*
conmon
*
golang
*
heketi
podman
*
skopeo
*
buildah
*
git-lfs
grafana
*
rsyslog
toolbox
ignition
*
kubevirt
ovn23.09
*
receptor
*
conmon-rs
cri-tools
*
openshift
*
microshift
*
grafana-pcp
*
qpid-proton
skupper-cli
weldr-client
host-metering
skupper-router
openshift-kuryr
*
go-toolset:rhel8
*
gvisor-tap-vsock
*
osbuild-composer
*
openshift-ansible
*
openshift-clients
*
rh-git227-git-lfs
rhc-worker-script
golang-qpid-apache
openshift4-aws-iso
*
collectd-sensubility
*
container-tools:rhel8
*
go-toolset-1.19-golang
*
odf4/mcg-rhel9-operator
*
container-tools:4.0/runc
odf4/mcg-operator-bundle
*
container-tools:4.0/conmon
container-tools:4.0/podman
container-tools:4.0/skopeo
container-tools:rhel8/runc
openshift-pipelines-client
container-tools:4.0/buildah
container-tools:4.0/toolbox
containernetworking-plugins
*
devspaces/machineexec-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
openshift-serverless-clients
container-tools:rhel8/buildah
container-tools:rhel8/toolbox
golang-github-prometheus-promu
redhat-certification-preflight
tang-operator-bundle-container
golang-github-infrawatch-apputils
ose-aws-ecr-image-credential-provider
*
openshift4/ose-cluster-machine-approver
openshift4/numaresources-operator-bundle
lifecycle-agent-operator-bundle-container
openshift-gitops-1/gitops-operator-bundle
openshift4/ose-cluster-machine-approver-rhel9
container-tools:4.0/containernetworking-plugins
container-tools:rhel8/containernetworking-plugins
openshift4/bare-metal-event-relay-operator-bundle
openshift4/topology-aware-lifecycle-manager-operator-bundle
CVE-2024-9355
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
created 10 months, 2 weeks ago
Golang-fips: golang fips zeroed buffer

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

mcg
odo
rhc
etcd
helm
rosa
runc
cri-o
delve
butane
conmon
golang
*
heketi
podman
skopeo
buildah
git-lfs
*
grafana
*
rsyslog
toolbox
ignition
kubevirt
receptor
conmon-rs
cri-tools
openshift
yggdrasil
microshift
grafana-pcp
*
qpid-proton
skupper-cli
weldr-client
host-metering
skupper-router
go-toolset:rhel8
*
gvisor-tap-vsock
osbuild-composer
*
containers-common
openshift-clients
rhc-worker-script
*
foreman_ygg_worker
*
golang-qpid-apache
rhtas/fulcio-rhel9
go-toolset:rhel8/golang
opentelemetry-collector
automation-gateway-proxy
openshift4/rdma-cni-rhel9
satellite:el8/qpid-proton
container-tools:rhel8/runc
openshift-pipelines-client
yggdrasil-worker-forwarder
containernetworking-plugins
devspaces/machineexec-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
openshift-serverless-clients
container-tools:rhel8/buildah
container-tools:rhel8/toolbox
github.com/golang-fips/openssl
golang-github-prometheus-promu
tang-operator-bundle-container
yggdrasil-worker-package-manager
golang-github-infrawatch-apputils
satellite-capsule:el8/qpid-proton
golang-github-openprinting-ipp-usb
openshift4/ose-sriov-rdma-cni-rhel9
ose-aws-ecr-image-credential-provider
ose-gcp-gcr-image-credential-provider
golang-github-danielqsj-kafka_exporter
ose-azure-acr-image-credential-provider
openshift4/numaresources-operator-bundle
satellite:el8/yggdrasil-worker-forwarder
lifecycle-agent-operator-bundle-container
openshift-gitops-1/gitops-operator-bundle
openshift4/ose-vertical-pod-autoscaler-rhel8
openshift4/ose-vertical-pod-autoscaler-rhel9
openshift4/ose-gcp-filestore-csi-driver-rhel8
openshift4/ose-gcp-filestore-csi-driver-rhel9
openshift4/ose-secrets-store-csi-driver-rhel8
openshift4/ose-secrets-store-csi-driver-rhel9
openshift4/sriov-network-metrics-exporter-rhel9
container-tools:rhel8/containernetworking-plugins
openshift4/bare-metal-event-relay-operator-bundle
openshift4/ose-aws-efs-csi-driver-container-rhel8
openshift4/ose-aws-efs-csi-driver-container-rhel9
openshift4/ose-sriov-network-metrics-exporter-rhel9
openshift4/topology-aware-lifecycle-manager-operator-bundle
CVE-2024-3727
8.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 10 months, 2 weeks ago
Containers/image: digest type does not guarantee valid type

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

cri-o
*
image
<5.30.1
<5.29.3
rhcos
*
conmon
podman
*
skopeo
*
buildah
*
atomic-openshift
osbuild-composer
containers-common
openshift-clients
openshift4/ose-cli
devspaces/udi-rhel8
openshift4/ose-tests
*
container-tools:rhel8
*
openshift4/ose-console
*
openshift4/ose-deployer
quay/quay-builder-rhel8
openshift4/ose-installer
openshift4/ose-sdn-rhel9
*
ocp-tools-4/jenkins-rhel8
source-to-image-container
container-tools:4.0/conmon
container-tools:4.0/podman
container-tools:4.0/skopeo
openshift4/ose-tools-rhel8
*
container-tools:4.0/buildah
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
openshift-serverless-clients
openshift4/ose-cli-artifacts
container-tools:rhel8/buildah
oadp/oadp-velero-plugin-rhel8
oadp/oadp-velero-plugin-rhel9
*
openshift4/ose-docker-builder
*
multicluster-engine/hive-rhel8
multicluster-engine/hive-rhel9
openshift4/network-tools-rhel8
*
openshift4/ose-hypershift-rhel9
*
openshift4/ose-olm-rukpak-rhel8
openshift4/ose-operator-registry
rhacm2/submariner-rhel8-operator
openshift4/oc-mirror-plugin-rhel8
openshift4/oc-mirror-plugin-rhel9
*
openshift4/ose-installer-artifacts
osp-director-provisioner-container
virt-cdi-apiserver-rhel9-container
openshift4/assisted-installer-rhel8
openshift4/ose-ovn-kubernetes-rhel9
*
ocp-tools-4/jenkins-agent-base-rhel8
container-tools:4.0/containers-common
source-to-image/source-to-image-rhel8
openshift-serverless-1/client-kn-rhel8
openshift4/ose-insights-rhel9-operator
*
openshift4/ose-machine-config-operator
openshift4/ose-operator-registry-rhel9
*
container-tools:rhel8/containers-common
multicluster-engine/agent-service-rhel8
openshift4/ose-installer-altinfra-rhel8
openshift4/ose-installer-altinfra-rhel9
openshift4/ose-baremetal-installer-rhel7
openshift4/ose-baremetal-installer-rhel8
openshift4/ose-openshift-apiserver-rhel7
openshift4/ose-openshift-apiserver-rhel8
openshift4/ose-openshift-apiserver-rhel9
*
openshift4/assisted-installer-agent-rhel8
openshift4/ose-machine-api-rhel9-operator
*
openshift4/ose-operator-lifecycle-manager
*
advanced-cluster-security/rhacs-main-rhel8
*
ose-openshift-controller-manager-container
rhai-tech-preview/assisted-installer-rhel8
rhmtc/openshift-migration-controller-rhel8
*
ose-installer-terraform-providers-container
advanced-cluster-security/rhacs-roxctl-rhel8
*
multicluster-engine/assisted-installer-rhel8
openshift4/assisted-installer-reporter-rhel8
openshift4/ose-apiserver-network-proxy-rhel9
*
openshift4/ose-machine-config-rhel9-operator
*
openshift4/ose-olm-operator-controller-rhel8
openshift4/ose-olm-operator-controller-rhel9
*
advanced-cluster-security/rhacs-scanner-rhel8
*
openshift4/ose-cluster-ingress-rhel9-operator
*
openshift4/ose-cluster-network-rhel9-operator
*
rhacm2-tech-preview/submariner-rhel8-operator
advanced-cluster-security/rhacs-rhel8-operator
*
openshift4/ose-openshift-proxy-pull-test-rhel8
openshift4/ose-ovn-kubernetes-microshift-rhel9
*
advanced-cluster-security/rhacs-collector-rhel8
*
advanced-cluster-security/rhacs-operator-bundle
*
container-native-virtualization/virt-cdi-cloner
openshift4/ose-agent-installer-api-server-rhel8
*
openshift4/ose-agent-installer-api-server-rhel9
*
openshift4/ose-agent-installer-node-agent-rhel8
openshift4/ose-agent-installer-node-agent-rhel9
*
openshift4/ose-operator-lifecycle-manager-rhel9
*
advanced-cluster-security/rhacs-central-db-rhel8
*
advanced-cluster-security/rhacs-scanner-db-rhel8
*
advanced-cluster-security/rhacs-scanner-v4-rhel8
*
openshift4/ose-alibaba-machine-controllers-rhel9
*
openshift4/ose-cluster-autoscaler-rhel9-operator
*
openshift4/ose-multus-admission-controller-rhel9
*
openshift4/ose-multus-whereabouts-ipam-cni-rhel8
*
openshift4/ose-nutanix-machine-controllers-rhel9
*
openshift4/ose-powervs-machine-controllers-rhel9
*
rhai-tech-preview/assisted-installer-agent-rhel8
container-native-virtualization/virt-cdi-importer
container-native-virtualization/virt-cdi-operator
openshift-sandboxed-containers/osc-rhel8-operator
openshift-sandboxed-containers/osc-rhel9-operator
openshift4/ose-agent-installer-csr-approver-rhel8
openshift4/ose-agent-installer-csr-approver-rhel9
openshift4/ose-agent-installer-orchestrator-rhel8
*
openshift4/ose-agent-installer-orchestrator-rhel9
*
openshift4/ose-cluster-node-tuning-rhel9-operator
*
openshift4/ose-openshift-controller-manager-rhel7
openshift4/ose-openshift-controller-manager-rhel8
openshift4/ose-openshift-controller-manager-rhel9
*
advanced-cluster-security/rhacs-scanner-slim-rhel8
*
container-native-virtualization/virt-cdi-apiserver
multicluster-engine/assisted-installer-agent-rhel8
advanced-cluster-security/rhacs-scanner-v4-db-rhel8
*
container-native-virtualization/virt-cdi-controller
rhai-tech-preview/assisted-installer-reporter-rhel8
advanced-cluster-security/rhacs-collector-slim-rhel8
*
container-native-virtualization/virt-cdi-uploadproxy
openshift-sandboxed-containers/osc-must-gather-rhel8
openshift-sandboxed-containers/osc-must-gather-rhel9
advanced-cluster-security/rhacs-scanner-db-slim-rhel8
*
container-native-virtualization/virt-cdi-cloner-rhel9
container-native-virtualization/virt-cdi-uploadserver
multicluster-engine/assisted-installer-reporter-rhel8
openshift4/ose-powervs-cloud-controller-manager-rhel9
*
multicluster-engine-assisted-installer-agent-container
container-native-virtualization/virt-cdi-importer-rhel9
container-native-virtualization/virt-cdi-operator-rhel9
container-native-virtualization/virt-cdi-apiserver-rhel9
container-native-virtualization/virt-cdi-controller-rhel9
*
container-native-virtualization/virt-cdi-uploadproxy-rhel9
container-native-virtualization/virt-cdi-uploadserver-rhel9
openshift-sandboxed-containers-tech-preview/osc-rhel8-operator
openshift4/ose-cluster-control-plane-machine-set-rhel9-operator
*
openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8
CVE-2024-6156
3.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 10 months, 2 weeks ago
Mark Laing discovered that LXD's PKI mode, until version 5.21.2, …

Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.

lxd
<4.0.10
<6.1
<5.21.2
<5.0.4
CVE-2024-9902
6.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
created 10 months, 2 weeks ago
Ansible-core: ansible-core user may read/write unauthorized content

A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.

ansible-core
*
openstack-ansible-core
ansible-automation-platform/ee-29-rhel8
*
ansible-automation-platform/ee-minimal-rhel8
*
ansible-automation-platform/ee-minimal-rhel9
*
ansible-automation-platform/ansible-builder-rhel8
*
ansible-automation-platform/ansible-builder-rhel9
*
CVE-2024-8676
7.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 10 months, 2 weeks ago
Cri-o: checkpoint restore can be triggered from different namespaces

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

cri-o
<1.30.8
*
<1.29.11
<1.31.3
rhcos
*
conmon
container-tools:rhel8/conmon
container-tools:rhel8/podman