Vulnerabilities > Redhat > Openshift Container Platform > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-04-23 | CVE-2019-2684 | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). | 5.9 |
| 2019-04-10 | CVE-2019-1003050 | Cross-site Scripting vulnerability in multiple products The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. | 5.4 |
| 2019-04-01 | CVE-2019-3876 | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Openshift Container Platform A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. | 6.3 |
| 2019-04-01 | CVE-2019-1002101 | Link Following vulnerability in multiple products The kubectl cp command allows copying files between containers and the user machine. | 5.5 |
| 2019-04-01 | CVE-2019-1002100 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. | 6.5 |
| 2019-03-26 | CVE-2019-3826 | Cross-site Scripting vulnerability in multiple products A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. | 6.1 |
| 2019-02-06 | CVE-2019-1003014 | Cross-site Scripting vulnerability in multiple products An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file. | 4.8 |
| 2019-02-06 | CVE-2019-1003013 | Cross-site Scripting vulnerability in multiple products An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. | 5.4 |
| 2019-02-06 | CVE-2019-1003012 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. | 6.5 |
| 2019-02-06 | CVE-2019-1003010 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. | 4.3 |