Search Results (1772 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-44192 2 Apple, Redhat 13 Iphone Os, Macos, Safari and 10 more 2026-04-02 6.5 Medium
The issue was addressed with improved checks. This issue is fixed in Safari 18, iOS 18 and iPadOS 18, macOS Sequoia 15, tvOS 18, visionOS 2, watchOS 11. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-36187 2 Ibm, Redhat 3 Knowledge Catalog, Knowledge Catalog Standard Cartridge, Openshift 2026-04-02 4.4 Medium
IBM Knowledge Catalog Standard Cartridge 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1, 5,1.2, 5.1.3, 5.2.0, 5.2.1 stores potentially sensitive information in log files that could be read by a local privileged user.
CVE-2024-8883 1 Redhat 10 Build Keycloak, Build Of Keycloak, Jboss Enterprise Application Platform and 7 more 2026-04-01 6.1 Medium
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
CVE-2023-46129 3 Linuxfoundation, Nats, Redhat 3 Nats-server, Nkeys, Openshift Distributed Tracing 2026-03-30 7.5 High
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.
CVE-2026-4645 1 Redhat 7 Advanced Cluster Management For Kubernetes, Enterprise Linux, Migration Toolkit For Applications and 4 more 2026-03-30 7.5 High
Duplicate of CVE-2026-32287
CVE-2026-4427 1 Redhat 11 Advanced Cluster Management For Kubernetes, Advanced Cluster Security, Enterprise Linux and 8 more 2026-03-30 7.5 High
Duplicate of CVE-2026-32286
CVE-2024-4629 1 Redhat 12 Build Keycloak, Build Of Keycloak, Enterprise Linux and 9 more 2026-03-26 6.5 Medium
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
CVE-2023-5981 4 Debian, Fedoraproject, Gnu and 1 more 8 Debian Linux, Fedora, Gnutls and 5 more 2026-03-25 5.9 Medium
A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
CVE-2026-23536 1 Redhat 1 Openshift Ai 2026-03-25 7.5 High
A security issue was discovered in the Feast Feature Server's `/read-document` endpoint that allows an unauthenticated remote attacker to read any file accessible to the server process. By sending a specially crafted HTTP POST request, an attacker can bypass intended access restrictions to potentially retrieve sensitive system files, application configurations, and credentials.
CVE-2024-1485 2 Devfile, Redhat 4 Registry-support, Ocp Tools, Openshift and 1 more 2026-03-24 8 High
A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
CVE-2024-0553 3 Fedoraproject, Gnu, Redhat 6 Fedora, Gnutls, Enterprise Linux and 3 more 2026-03-24 7.5 High
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
CVE-2026-23538 1 Redhat 1 Openshift Ai 2026-03-24 7.5 High
A vulnerability was identified in the Feast Feature Server's `/ws/chat` endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU, and file descriptors—leading to a complete denial of service for legitimate users.
CVE-2024-9341 2 Containers, Redhat 5 Common, Enterprise Linux, Openshift and 2 more 2026-03-19 5.4 Medium
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
CVE-2024-7557 1 Redhat 2 Openshift Ai, Openshift Data Science 2026-03-19 8.8 High
A vulnerability was found in OpenShift AI that allows for authentication bypass and privilege escalation across models within the same namespace. When deploying AI models, the UI provides the option to protect models with authentication. However, credentials from one model can be used to access other models and APIs within the same namespace. The exposed ServiceAccount tokens, visible in the UI, can be utilized with oc --token={token} to exploit the elevated view privileges associated with the ServiceAccount, leading to unauthorized access to additional resources.
CVE-2025-13327 2 Astral, Redhat 3 Uv, Ai Inference Server, Openshift Ai 2026-03-18 6.3 Medium
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package.
CVE-2023-4065 1 Redhat 6 Amq Broker, Enterprise Linux, Jboss A-mq and 3 more 2026-03-18 5.5 Medium
A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.
CVE-2024-1132 1 Redhat 23 Amq Broker, Build Keycloak, Build Of Keycloak and 20 more 2026-03-17 8.1 High
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
CVE-2024-1635 2 Netapp, Redhat 26 Active Iq Unified Manager, Oncommand Workflow Automation, Amq Streams and 23 more 2026-03-17 7.5 High
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
CVE-2022-30633 2 Golang, Redhat 14 Go, Acm, Application Interconnect and 11 more 2026-03-09 7.5 High
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
CVE-2024-41818 2 Naturalintelligence, Redhat 4 Fast-xml-parser, Fast Xml Parser, Container Native Virtualization and 1 more 2026-03-09 7.5 High
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.