First published: Tue Oct 27 2020(Updated: )
Red Hat OpenShift Container Platform is Red Hat's cloud computing<br>Kubernetes application platform solution designed for on-premise or private<br>cloud deployments.<br>Security Fix(es):<br><li> golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)</li> <li> SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169)</li> <li> grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624)</li> <li> js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)</li> <li> npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769)</li> <li> kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) (CVE-2020-7013)</li> <li> nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)</li> <li> npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)</li> <li> nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)</li> <li> jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)</li> <li> jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)</li> <li> grafana: stored XSS (CVE-2020-11110)</li> <li> grafana: XSS annotation popup vulnerability (CVE-2020-12052)</li> <li> grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)</li> <li> nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822)</li> <li> golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)</li> <li> nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)</li> <li> openshift/console: text injection on error page via crafted url (CVE-2020-10715)</li> <li> kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743)</li> <li> openshift: restricted SCC allows pods to craft custom network packets (CVE-2020-14336)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.