Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:1620: Red Hat Security Advisory: OpenShift Container Platform 4.6.57 packages and security update

Red Hat OpenShift Container Platform release 4.6.57 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-0711: haproxy: Denial of service via set-cookie2 header
  • CVE-2022-25173: workflow-cps: OS command execution through crafted SCM contents
  • CVE-2022-25174: workflow-cps-global-lib: OS command execution through crafted SCM contents
  • CVE-2022-25175: workflow-multibranch: OS command execution through crafted SCM contents
  • CVE-2022-25176: workflow-cps: Pipeline-related plugins follow symbolic links or do not limit path names
  • CVE-2022-25177: workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names
  • CVE-2022-25178: workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names
  • CVE-2022-25179: workflow-multibranch: Pipeline-related plugins follow symbolic links or do not limit path names
  • CVE-2022-25180: workflow-cps: Password parameters are included from the original build in replayed builds
  • CVE-2022-25181: workflow-cps-global-lib: Sandbox bypass vulnerability
  • CVE-2022-25182: workflow-cps-global-lib: Sandbox bypass vulnerability
  • CVE-2022-25183: workflow-cps-global-lib: Sandbox bypass vulnerability
  • CVE-2022-25184: pipeline-build-step: Password parameter default values exposed
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#nodejs#js#git#java#kubernetes#aws#ibm#rpm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2022-05-04

Updated:

2022-05-04

RHSA-2022:1620 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: OpenShift Container Platform 4.6.57 packages and security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.6.57 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.57. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2022:1621

Security Fix(es):

  • haproxy: Denial of service via set-cookie2 header (CVE-2022-0711)
  • workflow-multibranch: OS command execution through crafted SCM contents

(CVE-2022-25175)

  • workflow-cps: Pipeline-related plugins follow symbolic links or do not

limit path names (CVE-2022-25176)

  • workflow-cps-global-lib: Pipeline-related plugins follow symbolic links

or do not limit path names (CVE-2022-25177)

  • workflow-cps-global-lib: Pipeline-related plugins follow symbolic links

or do not limit path names (CVE-2022-25178)

  • workflow-multibranch: Pipeline-related plugins follow symbolic links or

do not limit path names (CVE-2022-25179)

  • workflow-cps: Password parameters are included from the original build in

replayed builds (CVE-2022-25180)

  • workflow-cps: OS command execution through crafted SCM contents

(CVE-2022-25173)

  • workflow-cps-global-lib: OS command execution through crafted SCM

contents (CVE-2022-25174)

  • workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25181)
  • workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25182)
  • workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25183)
  • pipeline-build-step: Password parameter default values exposed

(CVE-2022-25184)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.6 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8 s390x

Fixes

  • BZ - 2053666 - CVE-2022-0711 haproxy: Denial of service via set-cookie2 header
  • BZ - 2055719 - CVE-2022-25175 workflow-multibranch: OS command execution through crafted SCM contents
  • BZ - 2055733 - CVE-2022-25173 workflow-cps: OS command execution through crafted SCM contents
  • BZ - 2055734 - CVE-2022-25174 workflow-cps-global-lib: OS command execution through crafted SCM contents
  • BZ - 2055787 - CVE-2022-25176 workflow-cps: Pipeline-related plugins follow symbolic links or do not limit path names
  • BZ - 2055788 - CVE-2022-25177 workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names
  • BZ - 2055789 - CVE-2022-25178 workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names
  • BZ - 2055792 - CVE-2022-25179 workflow-multibranch: Pipeline-related plugins follow symbolic links or do not limit path names
  • BZ - 2055795 - CVE-2022-25180 workflow-cps: Password parameters are included from the original build in replayed builds
  • BZ - 2055797 - CVE-2022-25181 workflow-cps-global-lib: Sandbox bypass vulnerability
  • BZ - 2055798 - CVE-2022-25182 workflow-cps-global-lib: Sandbox bypass vulnerability
  • BZ - 2055802 - CVE-2022-25183 workflow-cps-global-lib: Sandbox bypass vulnerability
  • BZ - 2055804 - CVE-2022-25184 pipeline-build-step: Password parameter default values exposed

CVEs

  • CVE-2022-0711
  • CVE-2022-25173
  • CVE-2022-25174
  • CVE-2022-25175
  • CVE-2022-25176
  • CVE-2022-25177
  • CVE-2022-25178
  • CVE-2022-25179
  • CVE-2022-25180
  • CVE-2022-25181
  • CVE-2022-25182
  • CVE-2022-25183
  • CVE-2022-25184

Red Hat OpenShift Container Platform 4.6 for RHEL 8

SRPM

cri-o-1.19.6-3.rhaos4.6.git3c20b65.el8.src.rpm

SHA-256: 76af360d15eec12702c5e33931130371cdd08c4c185575793199129f688578f4

haproxy-2.0.16-5.el8.src.rpm

SHA-256: 0b959e90b919ffc7dabec3395711047cf7eaeeb6a51a931eeef101d333ad4481

jenkins-2-plugins-4.6.1650364520-1.el8.src.rpm

SHA-256: af4b56345b1b246a48db2fae2d40ea31dd1b13dcb7dd0222d7982692fb27c277

openshift-4.6.0-202203141645.p0.gec4226d.assembly.stream.el8.src.rpm

SHA-256: ea4e38914ff2e079cfec6c701941fb57295210df6f68b88f531b101998f8e630

x86_64

cri-o-1.19.6-3.rhaos4.6.git3c20b65.el8.x86_64.rpm

SHA-256: 2de3626a27b428c0eb34af7a7f347c89db65096256e75a922b2ed3c8c99a03c2

cri-o-debuginfo-1.19.6-3.rhaos4.6.git3c20b65.el8.x86_64.rpm

SHA-256: 8655b9fde75cd77e9f485627d1a07cc1b45c48cd74929810dd16f1c89dfc5453

cri-o-debugsource-1.19.6-3.rhaos4.6.git3c20b65.el8.x86_64.rpm

SHA-256: 21d8682bf290416502fdc6f4ed2f502a92561b194e06ebf67ff1b581d799d7c8

haproxy-debugsource-2.0.16-5.el8.x86_64.rpm

SHA-256: 7de2dd7b142028ed4a553dffe35c272ada4232d46fa13e20651f09d480a3618e

haproxy20-2.0.16-5.el8.x86_64.rpm

SHA-256: b98ba0fe22af4d9f71f55edd86d9c8470a74fa20a8ab6ce8a60b18010f470de0

haproxy20-debuginfo-2.0.16-5.el8.x86_64.rpm

SHA-256: 91740c9f0bedacb82142fa231fb1dd5ee52eb398efdc61c7722146587284e7ff

jenkins-2-plugins-4.6.1650364520-1.el8.noarch.rpm

SHA-256: c9ab361212ad57e6f4cfdfe63fd3be805e59ca84850061c7792d4c24c94dfd0f

openshift-hyperkube-4.6.0-202203141645.p0.gec4226d.assembly.stream.el8.x86_64.rpm

SHA-256: 3852df264e5dbf415804cd42b906ebdd2729626b45817e74690c28ae15167589

Red Hat OpenShift Container Platform 4.6 for RHEL 7

SRPM

cri-o-1.19.6-3.rhaos4.6.git3c20b65.el7.src.rpm

SHA-256: f18ca56ac2fbdf41533d5966332d054afa135b16c1c3d4dece3ec3aac61c8d9f

haproxy-2.0.16-3.el7.src.rpm

SHA-256: 820f2c1c4d614a00084ff4078f55b3f02c5b0e4cfa16cd2c709bde1fd2212471

openshift-4.6.0-202203141645.p0.gec4226d.assembly.stream.el7.src.rpm

SHA-256: 0799d7c0d3b5de642c540af634b035921eccd72cec3f33dc2ce1e3cc4af07831

python-boto-2.34.0-5.el7.src.rpm

SHA-256: 2f65c62913008bc80dcd1bccce3856ffe5ed809810948dc621dd10c1ed9dcd45

x86_64

cri-o-1.19.6-3.rhaos4.6.git3c20b65.el7.x86_64.rpm

SHA-256: b2f91da3a368452c298099ac659e6bfd4d9ba33d0ae448a79d2bb30978e8bfc3

cri-o-debuginfo-1.19.6-3.rhaos4.6.git3c20b65.el7.x86_64.rpm

SHA-256: 0bda8ad1d4f0a85ed28a1d4726dec3e9bbcc512686569063f30096c036ecfc64

haproxy-debuginfo-2.0.16-3.el7.x86_64.rpm

SHA-256: 6cdda6f6aeaa7d23e7feb00594b66dc6ddf617aca5bacd273a9a5d1e0fbd8d55

haproxy20-2.0.16-3.el7.x86_64.rpm

SHA-256: 618eba0a0ca1f9e3ad1a0de02924b9dbc32e0f167dc52fa7db9e4a7ec03ef5a0

openshift-hyperkube-4.6.0-202203141645.p0.gec4226d.assembly.stream.el7.x86_64.rpm

SHA-256: 1949fe6073366e108697a03e2e89da327974e6365595156705dc4eccfe4f4f65

python-boto-2.34.0-5.el7.noarch.rpm

SHA-256: c9205db3beff1a36e05c9f2b489a0af09a11bb2f332dfedbc12df0b6d58d6597

Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8

SRPM

cri-o-1.19.6-3.rhaos4.6.git3c20b65.el8.src.rpm

SHA-256: 76af360d15eec12702c5e33931130371cdd08c4c185575793199129f688578f4

haproxy-2.0.16-5.el8.src.rpm

SHA-256: 0b959e90b919ffc7dabec3395711047cf7eaeeb6a51a931eeef101d333ad4481

jenkins-2-plugins-4.6.1650364520-1.el8.src.rpm

SHA-256: af4b56345b1b246a48db2fae2d40ea31dd1b13dcb7dd0222d7982692fb27c277

openshift-4.6.0-202203141645.p0.gec4226d.assembly.stream.el8.src.rpm

SHA-256: ea4e38914ff2e079cfec6c701941fb57295210df6f68b88f531b101998f8e630

ppc64le

cri-o-1.19.6-3.rhaos4.6.git3c20b65.el8.ppc64le.rpm

SHA-256: 1f789b668d5e109aaafcfe5069a9732b7913abc3378e8901ccb09af12e40f680

cri-o-debuginfo-1.19.6-3.rhaos4.6.git3c20b65.el8.ppc64le.rpm

SHA-256: 542db1a65b1978817111ef73c72bdd588dd97ae4eb6f8f28f56e7492730bc98a

cri-o-debugsource-1.19.6-3.rhaos4.6.git3c20b65.el8.ppc64le.rpm

SHA-256: c3f9aef9397c031dd69533255b62203e19ad6f9758b24c41d28f4174a91a850f

haproxy-debugsource-2.0.16-5.el8.ppc64le.rpm

SHA-256: f3cdf0523f4c6a44ffd48baff3cdd9f8d8fd4d10ea863cb6f616aec96aaa5f46

haproxy20-2.0.16-5.el8.ppc64le.rpm

SHA-256: e2e92b4609e5facffba55c92054ab0597c18d7baea88f4d48ee808ebd3664c35

haproxy20-debuginfo-2.0.16-5.el8.ppc64le.rpm

SHA-256: a6a80b2663a788d496c4e1ae2e9aa93904ce9e10f91b2261cff48e0781467b28

jenkins-2-plugins-4.6.1650364520-1.el8.noarch.rpm

SHA-256: c9ab361212ad57e6f4cfdfe63fd3be805e59ca84850061c7792d4c24c94dfd0f

openshift-hyperkube-4.6.0-202203141645.p0.gec4226d.assembly.stream.el8.ppc64le.rpm

SHA-256: 8a2aadc46da5db46af9440f9d0f9312ed68630fce50a4bda327e90d1fcc4bbc5

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8

SRPM

cri-o-1.19.6-3.rhaos4.6.git3c20b65.el8.src.rpm

SHA-256: 76af360d15eec12702c5e33931130371cdd08c4c185575793199129f688578f4

haproxy-2.0.16-5.el8.src.rpm

SHA-256: 0b959e90b919ffc7dabec3395711047cf7eaeeb6a51a931eeef101d333ad4481

jenkins-2-plugins-4.6.1650364520-1.el8.src.rpm

SHA-256: af4b56345b1b246a48db2fae2d40ea31dd1b13dcb7dd0222d7982692fb27c277

openshift-4.6.0-202203141645.p0.gec4226d.assembly.stream.el8.src.rpm

SHA-256: ea4e38914ff2e079cfec6c701941fb57295210df6f68b88f531b101998f8e630

s390x

cri-o-1.19.6-3.rhaos4.6.git3c20b65.el8.s390x.rpm

SHA-256: 89116e51d8dc320496c4ff6fe1e35ebc0b57bcde318bc0242231a09381b42e51

cri-o-debuginfo-1.19.6-3.rhaos4.6.git3c20b65.el8.s390x.rpm

SHA-256: 3de60a59b832b59340640f13d1b6888654e8f18d5b53ed590d3d1965193f70ad

cri-o-debugsource-1.19.6-3.rhaos4.6.git3c20b65.el8.s390x.rpm

SHA-256: 81c6a616c8c83b66477a0e829784ec9135bb8813deeabb3928da94ba2a7ab1e4

haproxy-debugsource-2.0.16-5.el8.s390x.rpm

SHA-256: a5b04b00671c9808134cc2e0c56300425396571bdc7f5b5d9c6883b1ac0cda11

haproxy20-2.0.16-5.el8.s390x.rpm

SHA-256: 4426aa0c5649a050c33ee1ab40af04a8d68dbb949b70d4857fdfc732f6ef84bc

haproxy20-debuginfo-2.0.16-5.el8.s390x.rpm

SHA-256: 0ec7e6f021352a798c9a9bf69f95674359c997985021fd660586405bdbfb641e

jenkins-2-plugins-4.6.1650364520-1.el8.noarch.rpm

SHA-256: c9ab361212ad57e6f4cfdfe63fd3be805e59ca84850061c7792d4c24c94dfd0f

openshift-hyperkube-4.6.0-202203141645.p0.gec4226d.assembly.stream.el8.s390x.rpm

SHA-256: a0b280651dfcfb8e0d46c27eb9f0b10b91c123626357e886fdcbffcdb8588993

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

CVE-2022-22434: IBM Robotic Process Automation parameter pollution CVE-2022-22434 Vulnerability Report

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159.

CVE-2022-22415: Security Bulletin: IBM Robotic Process Automation may allow regular users to view some admin pages.

A vulnerability exists where an IBM Robotic Process Automation 21.0.1 regular user is able to obtain view-only access to some admin pages in the Control Center IBM X-Force ID: 223029.

CVE-2021-39020: IBM Guardium Data Encryption information disclosure CVE-2021-39020 Vulnerability Report

IBM Guardium Data Encryption (GDE) 4.0.0.7 and lower stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 213855.

CVE-2022-22433: IBM Robotic Process Automation security bypass CVE-2022-22433 Vulnerability Report

IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 224156.

RHSA-2022:1725: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1520: Mozilla: Incorrect security status shown after viewing an attached email * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29913: Mozilla: Speech Synthesis feature not properly disabled ...

CVE-2022-1464: attachment: set CSP header in the serving endpoint (#6926) · gogs/gogs@bc77440

Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .

RHSA-2022:1730: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1520: Mozilla: Incorrect security status shown after viewing an attached email * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29913: Mozilla: Speech Synthesis feature not properly disabled ...

RHSA-2022:1726: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1520: Mozilla: Incorrect security status shown after viewing an attached email * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29913: Mozilla: Speech Synthesis feat...

RHSA-2022:1727: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1520: Mozilla: Incorrect security status shown after viewing an attached email * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29913: Mozilla: Speech Synt...

RHSA-2022:1734: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.1 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-41771: golang: debug/macho: invalid dynamic symbol table command can cause panic * CVE-2021-41772: golang: archive/zip: Reader.Open panics on empty string * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close ...

RHSA-2022:1724: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1520: Mozilla: Incorrect security status shown after viewing an attached email * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29913: Mozilla: Speech Synthesis feat...

CVE-2021-42242: Administrator Interface Command Execution Vulnerability · Issue #28 · jflyfox/jfinal_cms

A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor.

CVE-2022-1575: 18.0.0 release · jgraph/drawio@f768ed7

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.

Researchers Disclose 10-Year-Old Vulnerabilities in Avast and AVG Antivirus

Two high-severity security vulnerabilities, which went undetected for several years, have been discovered in a legitimate driver that's part of Avast and AVG antivirus solutions. "These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded,"

RHSA-2022:1716: Red Hat Security Advisory: Red Hat Ceph Storage 4.3 Security and Bug Fix update

New packages for Red Hat Ceph Storage 4.3 are now available on Red Hat Enterprise Linux 8.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-25658: python-rsa: bleichenbacher timing oracle attack against RSA decryption * CVE-2021-3524: ceph object gateway: radosgw: CRLF injection * CVE-2021-3979: ceph: Ceph volume does not honour osd_dmcrypt_key_size

RHSA-2022:1715: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.3.10 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.3.10 General Availability release images, which provide security updates and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-20...

Security recommendations for SAP HANA on RHEL

After extensive testing on RHEL 8.2, 8.4, 8.6 and 9 using the SAP HANA validation test suite, Red Hat’s engineering team concluded that SELinux can run in Enforcing mode with minimal impact to database performance. This is important because it means that RHEL customers will be able to apply higher security levels to their hosts running SAP HANA and tailor the policies to their needs.

Cisco Issues Patches for 3 New Flaws Affecting Enterprise NFVIS Software

Cisco Systems on Wednesday shipped security patches to contain three flaws impacting its Enterprise NFV Infrastructure Software (NFVIS) that could permit an attacker to fully compromise and take control over the hosts. Tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, the vulnerabilities "could allow an attacker to escape from the guest virtual machine (VM) to the host machine,

F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability

Cloud security and application delivery network (ADN) provider F5 on Wednesday released patches to contain 43 bugs spanning its products. Of the 43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity. Chief among the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a maximum of 10 and stems from a lack of

Red Hat Security Advisory 2022-1703-01

Red Hat Security Advisory 2022-1703-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.0 ESR. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2022-1701-01

Red Hat Security Advisory 2022-1701-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.0 ESR. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2022-1708-01

Red Hat Security Advisory 2022-1708-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Red Hat Security Advisory 2022-1705-01

Red Hat Security Advisory 2022-1705-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.0 ESR. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2022-1709-01

Red Hat Security Advisory 2022-1709-01 - Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.2 serves as a replacement for Red Hat Single Sign-On 7.5.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a privilege escalation vulnerability.

Red Hat Security Advisory 2022-1622-01

Red Hat Security Advisory 2022-1622-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.57.

Red Hat Security Advisory 2022-1702-01

Red Hat Security Advisory 2022-1702-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.0 ESR. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2022-1704-01

Red Hat Security Advisory 2022-1704-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.0 ESR. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2022-1712-01

Red Hat Security Advisory 2022-1712-01 - Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.2 on RHEL 8 serves as a security patch for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a privilege escalation vulnerability.

Red Hat Security Advisory 2022-1711-01

Red Hat Security Advisory 2022-1711-01 - Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.2 on RHEL 7 serves as a security patch for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a privilege escalation vulnerability.

CVE-2022-20780: Cisco Security Advisory: Cisco Enterprise NFV Infrastructure Software Vulnerabilities

Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory.

CVE-2022-20734: Cisco Security Advisory: Cisco SD-WAN vManage Software Information Disclosure Vulnerability

A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, local attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.

CVE-2022-20794: Cisco Security Advisory: Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities

Multiple vulnerabilities in the web engine of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow a remote attacker to cause a denial of service (DoS) condition, view sensitive data on an affected device, or redirect users to an attacker-controlled destination. For more information about these vulnerabilities, see the Details section of this advisory.

CVE-2022-20771: Cisco Security Advisory: ClamAV TIFF File Parsing Denial of Service Vulnerability Affecting Cisco Products: April 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE-2022-23724: Ping Identity Documentation Portal

Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.

CVE-2022-20796: Cisco Security Advisory: ClamAV Truncated File Denial of Service Vulnerability Affecting Cisco Products: April 2022

On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog.

CVE-2022-20770: Cisco Security Advisory: ClamAV CHM File Parsing Denial of Service Vulnerability Affecting Cisco Products: April 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE-2022-20785: Cisco Security Advisory: ClamAV HTML Scanning Memory Leak Vulnerability Affecting Cisco Products: April 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE-2022-20771: Cisco Security Advisory: ClamAV TIFF File Parsing Denial of Service Vulnerability Affecting Cisco Products: May 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE-2022-20785: Cisco Security Advisory: ClamAV HTML Scanning Memory Leak Vulnerability Affecting Cisco Products: May 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE-2022-20770: Cisco Security Advisory: ClamAV CHM File Parsing Denial of Service Vulnerability Affecting Cisco Products: May 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE-2022-20796: Cisco Security Advisory: ClamAV Truncated File Denial of Service Vulnerability Affecting Cisco Products: May 2022

On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog.

CVE-2022-20801: Cisco Security Advisory: Cisco Small Business RV Series Routers Command Injection Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system of the affected device. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device.

CVE-2022-20753: Cisco Security Advisory: Cisco Small Business RV Series Routers Remote Code Execution Vulnerability

A vulnerability in web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious input to an affected device. A successful exploit could allow the attacker to execute remote code on the affected device. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.

CVE-2022-28940: 0day/新华三magicR100存在DOS攻击漏洞分析.md at main · zhefox/0day

In H3C MagicR100 <=V100R005, the / Ajax / ajaxget interface can be accessed without authorization. It sends a large amount of data through ajaxmsg to carry out DOS attack.

CVE-2022-27461: Free and open-source eCommerce platform. ASP.NET based shopping cart.

In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.

RHSA-2022:1713: Red Hat Security Advisory: security update for rh-sso-7/sso75-openshift-rhel8 container image

Security updated rh-sso-7/sso75-openshift-rhel8 container image is now available for RHEL-8 based Middleware Containers. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1245: keycloak: Privilege escalation vulnerability on Token Exchange

CVE-2022-28081: arPHP 3.6.0 - Reflected XSS

A reflected cross-site scripting (XSS) vulnerability in the component Query.php of arPHP v3.6.0 allows attackers to execute arbitrary web scripts.

CVE-2022-28076: seacms v11.6 Vulnerability Execution Command · Issue #1 · likCodinG/seacms_vul

Seacms v11.6 was discovered to contain a remote command execution (RCE) vulnerability via the Mail Server Settings.

RHSA-2022:1711: Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update on RHEL 7

New Red Hat Single Sign-On 7.5.2 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1245: keycloak: Privilege escalation vulnerability on Token Exchange

RHSA-2022:1712: Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update on RHEL 8

New Red Hat Single Sign-On 7.5.2 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1245: keycloak: Privilege escalation vulnerability on Token Exchange

SAC Health System Impacted By Security Incident

Six boxes of paper documents were removed from the facility without authorization in early March.

RHSA-2022:1709: Red Hat Security Advisory: Red Hat Single Sign-On 7.5.2 security update

A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1245: keycloak: Privilege escalation vulnerability on Token Exchange

RHSA-2022:1708: Red Hat Security Advisory: Satellite 6.10.5 Async Bug Fix Update

Updated Satellite 6.10 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-27023: puppet: unsafe HTTP redirect * CVE-2021-27025: puppet: silent configuration failure in agent

RHSA-2022:1703: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29914: Mozilla: Fullscreen notification bypass using popups * CVE-2022-29916: Mozilla: Leaking browser history with CSS variables * CVE-2022-29917: Mozilla: ...

RHSA-2022:1702: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29914: Mozilla: Fullscreen notification bypass using popups * CVE-2022-29916: Mozilla: Leaking browser history with CSS variables *...

RHSA-2022:1705: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29914: Mozilla: Fullscreen notification bypass using popups * CVE-2022-29916: Mozilla: Leaking browser history with CSS variables * CVE-2022-29917: Mozilla: ...

RHSA-2022:1704: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29914: Mozilla: Fullscreen notification bypass using popups * CVE-2022-29916: Mozilla: Leaking browser history with CSS variables *...

RHSA-2022:1701: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29914: Mozilla: Fullscreen notification bypass using popups * CVE-2022-29916: Mozilla: Leaking browser history with CSS v...

CVE-2021-42192: Security Advisory for Konga v.14.9

Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to privilege escalation.

CVE-2022-1571: Cross-site scripting - Reflected in Create Subaccount in facturascripts

Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ...

RHSA-2022:1622: Red Hat Security Advisory: OpenShift Container Platform 4.6.57 security and extras update

Red Hat OpenShift Container Platform release 4.6.57 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty

CVE-2022-28055: Remove email_logs download. (#6331) · fusionpbx/fusionpbx@4e260b1

Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.

CVE-2022-27431: Wuzhicms v4.1.0 /coreframe/app/member/admin/group.php hava a SQL Injection Vulnerability · Issue #200 · wuzhicms/wuzhicms

Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at /coreframe/app/member/admin/group.php.

CVE-2021-43164: Multiple Vulnerabilities in Ruijie RG-EW Series Routers

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless.