Search for packages
| purl | pkg:rpm/redhat/atomic-openshift@3.11.82-1.git.0.08bc31b?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1s7q-drqn-4bhd
Aliases: CVE-2019-3826 GHSA-3m87-5598-2v4f |
Withdrawn Advisory: Prometheus XSS Vulnerability ## Withdrawn Advisory This advisory has been withdrawn because the vulnerability does not apply to the Prometheus golang package. This link is maintained to preserve external references. ## Original Description A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. | There are no reported fixed by versions. |
|
VCID-2hfm-g99a-67de
Aliases: CVE-2018-1000865 GHSA-p4p5-3v2j-w5rv |
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. | There are no reported fixed by versions. |
|
VCID-2qhb-fu9x-k7bd
Aliases: CVE-2019-1003001 GHSA-6q78-6xvr-26fg |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | There are no reported fixed by versions. |
|
VCID-31wf-mpnt-dycm
Aliases: CVE-2018-20102 |
haproxy: Out-of-bounds read in dns.c:dns_validate_dns_response() allows for memory disclosure | There are no reported fixed by versions. |
|
VCID-48er-rqvk-nyhg
Aliases: CVE-2018-20103 |
haproxy: Infinite recursion via crafted packet allows stack exhaustion and denial of service | There are no reported fixed by versions. |
|
VCID-537v-ugyf-17e2
Aliases: CVE-2019-1003014 GHSA-pmc5-74w3-78mw |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file. | There are no reported fixed by versions. |
|
VCID-6ncw-2m21-t3bg
Aliases: CVE-2018-1000866 GHSA-gqhm-4h93-rrhg |
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM | There are no reported fixed by versions. |
|
VCID-8575-gsc8-xkd6
Aliases: CVE-2019-1003010 GHSA-r8rw-xx57-m64q |
Cross-Site Request Forgery (CSRF) A cross-site request forgery vulnerability exists in Jenkins Git Plugin in `src/main/java/hudson/plugins/git/GitTagAction.java` allowing attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. | There are no reported fixed by versions. |
|
VCID-8e1s-dgj6-vyfq
Aliases: CVE-2018-20615 |
haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash | There are no reported fixed by versions. |
|
VCID-a6ur-dzqs-hfge
Aliases: CVE-2019-1003000 GHSA-784j-h234-m56x |
Code Injection A sandbox bypass vulnerability exists in Script Security Plugin that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM. | There are no reported fixed by versions. |
|
VCID-bmfa-vgay-2fbt
Aliases: CVE-2019-1003012 GHSA-qxh5-5r5p-5gvf |
Cross-Site Request Forgery (CSRF) A data modification vulnerability exists in Jenkins Blue Ocean Plugins in `blueocean-core-js/src/js/bundleStartup.js`, `blueocean-core-js/src/js/fetch.ts`, `blueocean-core-js/src/js/i18n/i18n.js`, `blueocean-core-js/src/js/urlconfig.js`, `blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java`, `blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java`, `blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly` that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. | There are no reported fixed by versions. |
|
VCID-cf29-8rvn-kfbd
Aliases: CVE-2019-1003003 GHSA-6rh5-23hx-j452 |
Insufficient Session Expiration An improper authorization vulnerability exists in Jenkins in `core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java` that allows attackers with `Overall/RunScripts` permission to craft Remember Me cookies that would never expire, allowing to persist access to temporarily compromised user accounts. | There are no reported fixed by versions. |
|
VCID-gmw4-qd6z-aqht
Aliases: CVE-2019-1003013 GHSA-7fjr-5hph-c2mh |
Cross-site Scripting An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins in `blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java`, `blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export/ExportConfig.java`, `blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java`, `blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java`, `blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly' that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. | There are no reported fixed by versions. |
|
VCID-qdk1-p4qg-p3ar
Aliases: CVE-2019-1003011 GHSA-23h9-m55m-c5jp |
Improper Input Validation An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin which allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation. | There are no reported fixed by versions. |
|
VCID-uyuv-7nbj-zfcp
Aliases: CVE-2019-1003004 GHSA-8qxp-g8jv-p37x |
Insufficient Session Expiration An improper authorization vulnerability exists in Jenkins in `core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java` that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time. | There are no reported fixed by versions. |
|
VCID-ygq7-sv7h-7fax
Aliases: CVE-2019-1003002 GHSA-x6jx-cxg3-mggh |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||