#jira

Red Hat Security Advisory 2023-2695-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.40.

Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.

Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...

Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.

### Impact It's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in the past for XWiki 12.10.7 and 13.3RC1 but there is still the possibility to force specific URLs to skip some checks, e.g. using URLs like `http:example.com` in the parameter would allow the redirect. ### Patches The issue has now been patched against all patterns that we know about for performing redirect. It also performs a real URI parsing that should protect in most cases. This has been patched in XWiki 14.10.4 and 15.0. ### Workarounds The only workaround is to upgrade XWiki. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-20096 * JIRA ticket about the improvment actually fixing the vulnerability: https://jira.xwiki.org/browse/XWIKI-20549 * Previous advisory about open redirect: https://github.com/advisories/GHSA-jp55-vvmf-63mv ### For more information If you have any questions or comments abo...

### Impact HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. ### Patches This has been patched in XWiki 14.6 RC1. ### Workarounds There are no known workarounds apart from upgrading to a fixed version. ### References * https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 * https://jira.xwiki.org/browse/XRENDERING-663 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

### Impact It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. **Steps to Reproduce:** 1. Edit your user profile with the object editor and add an object of type `DocumentSheetBinding` with value `Default Class Sheet` 1. Edit your user profile with the wiki editor and add the syntax `{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}` 1. Click "Save & View" **Expected result:** An error is displayed as the user doesn't have the right to execute the Groovy macro. **Actual result:** The text "Hello from groovy!" is displayed at the top of the document. ### Patches This has been patched in XWiki 15.0-rc-1 and 14.10.4. ### Workarounds There are no known workarounds for it. ### References https://jira.xwiki.org/browse/XWIKI-20566 https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4 ### For more information If you have any questions or comments about this advisory:...

Red Hat Security Advisory 2023-2110-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.16. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2023-2029-01 - The OpenShift Security Profiles Operator v0.7.0 is now available. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1372-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a bypass vulnerability.