Vulnerabilities > Redhat > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-02-17 CVE-2020-1693 XXE vulnerability in Redhat Spacewalk 1.6/2.6
A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint.
network
low complexity
redhat CWE-611
critical
9.8
2020-02-12 CVE-2014-0234 Insecure Default Initialization of Resource vulnerability in Redhat Openshift
The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which allows remote attackers to hijack the broker by providing this password, related to the openshift.sh script in Openshift Extras before 20130920.
network
low complexity
redhat CWE-1188
critical
9.8
2020-02-08 CVE-2015-5741 HTTP Request Smuggling vulnerability in multiple products
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.
network
low complexity
golang redhat CWE-444
critical
9.8
2020-02-07 CVE-2019-15606 Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
network
low complexity
nodejs oracle debian redhat opensuse
critical
9.8
2020-02-07 CVE-2019-15605 HTTP Request Smuggling vulnerability in multiple products
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
network
low complexity
nodejs debian fedoraproject opensuse redhat oracle CWE-444
critical
9.8
2020-01-29 CVE-2019-20445 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
network
low complexity
netty debian fedoraproject canonical redhat apache CWE-444
critical
9.1
2020-01-29 CVE-2019-20444 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
network
low complexity
netty debian fedoraproject canonical redhat CWE-444
critical
9.1
2020-01-28 CVE-2013-2060 OS Command Injection vulnerability in Redhat Openshift 1.0
The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters in the URL of a request to download a cart.
network
low complexity
redhat CWE-78
critical
9.8
2020-01-23 CVE-2019-17570 Deserialization of Untrusted Data vulnerability in multiple products
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library.
network
low complexity
apache debian canonical fedoraproject redhat CWE-502
critical
9.8
2020-01-07 CVE-2019-14906 A flaw was found with the RHSA-2019:3950 erratum, where it did not fix the CVE-2019-13616 SDL vulnerability.
network
low complexity
libsdl redhat
critical
9.8