SB2022051924 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.9 packages

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022051924

SB2022051924 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.9 packages

Published: May 19, 2022

Security Bulletin ID SB2022051924
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Stored cross-site scripting (CVE-ID: CVE-2022-29036)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the affected plugin does not escape the name and description of Credentials parameters on views displaying parameters. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Stored cross-site scripting (CVE-ID: CVE-2022-29041)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the affected plugin does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Stored cross-site scripting (CVE-ID: CVE-2022-29046)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the affected plugin does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Improper access control (CVE-ID: CVE-2022-29047)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists todue the affected plugin does not apply to uses of the library step with a retriever argument pointing to a library in the current build’s repository and branch. A remote attacker can modify some Pipeline libraries.


Remediation

Install update from vendor's website.

References