Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: python313Packages.openshift

Found 9 matching suggestions

Permalink CVE-2025-11065
created 2 weeks, 2 days ago
Github.com/go-viper/mapstructure/v2: go-viper's mapstructure may leak sensitive information in logs in github.com/go-viper/mapstructure

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Affected products

podman
toolbox
openshift
microshift
gvisor-tap-vsock
rhtas/cosign-rhel9
rhtas/fulcio-rhel9
devspaces/udi-rhel9
rhtas/gitsign-rhel9
rhtas/rekor-cli-rhel9
devspaces/traefik-rhel9
opentelemetry-collector
devspaces/udi-base-rhel9
rhacm2/acm-grafana-rhel9
rhoai/odh-rhel9-operator
rhtas/rekor-server-rhel9
openshift-pipelines-client
openshift4/ose-helm-operator
redhat-certification-preflight
rhoai/odh-model-registry-rhel9
openshift-gitops-1/argocd-rhel8
openshift-gitops-1/argocd-rhel9
rhtas/timestamp-authority-rhel9
rhacm2/submariner-rhel9-operator
rhtas/rekor-backfill-redis-rhel9
openshift4/ose-helm-rhel9-operator
github.com/go-viper/mapstructure/v2
  • <2.4.0
rhosdt/opentelemetry-collector-rhel8
rhtap-task-runner/rhtap-task-runner-rhel9
advanced-cluster-security/rhacs-main-rhel8
advanced-cluster-security/rhacs-roxctl-rhel8
advanced-cluster-security/rhacs-rhel8-operator
advanced-cluster-security/rhacs-central-db-rhel8
advanced-cluster-security/rhacs-scanner-v4-rhel8
advanced-cluster-security/rhacs-scanner-v4-db-rhel8
zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9
zero-trust-workload-identity-manager/spiffe-spire-server-rhel9
zero-trust-workload-identity-manager/spiffe-spire-oidc-discovery-provider-rhel9
zero-trust-workload-identity-manager/zero-trust-workload-identity-manager-rhel9

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-45497
created 4 months, 3 weeks ago
Openshift-api: build process in openshift allows overwriting of node pull credentials

A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.

Affected products

openshift
  • ==4.16
openshift-controller-manager
openshift4/ose-openshift-apiserver-rhel7
openshift4/ose-openshift-apiserver-rhel9
openshift4/ose-openshift-controller-manager-rhel9
  • *
org.arquillian.cube/arquillian-cube-openshift-api
openshift4/ose-cluster-openshift-apiserver-operator
  • *
openshift4/ose-cluster-openshift-apiserver-rhel9-operator
  • *

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-6596
created 4 months, 3 weeks ago
Openshift: incomplete fix for rapid reset (cve-2023-44487/cve-2023-39325)

An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers.

Affected products

openshift
  • <4.12.48
  • <4.11.58
openshift4/ose-olm-rukpak-rhel8
openshift4/ose-operator-lifecycle-manager
  • *

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-0793
created 4 months, 3 weeks ago
Kube-controller-manager: malformed hpa v1 manifest causes crash

A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.

Affected products

openshift
  • *
microshift
coredns-container
ose-etcd-container
ose-node-container
ose-tools-container
telemeter-container
kube-proxy-container
multus-cni-container
ose-thanos-container
csi-attacher-container
oauth-server-container
kube-controller-manager
  • <1.27
ose-installer-container
csi-driver-nfs-container
driver-toolkit-container
ose-hypershift-container
ose-olm-rukpak-container
csi-provisioner-container
kube-rbac-proxy-container
ose-cluster-api-container
ose-must-gather-container
configmap-reload-container
oc-mirror-plugin-container
csi-driver-manila-container
csi-livenessprobe-container
operator-registry-container
ose-cli-artifacts-container
ose-network-tools-container
kube-state-metrics-container
ose-ovn-kubernetes-container
ose-oauth-apiserver-container
prometheus-operator-container
marketplace-operator-container
ose-ovirt-csi-driver-container
cluster-etcd-operator-container
ose-cluster-bootstrap-container
ose-egress-router-cni-container
ose-gcp-pd-csi-driver-container
ose-insights-operator-container
ose-machine-os-images-container
vmware-vsphere-syncer-container
ose-aws-ebs-csi-driver-container
ose-baremetal-operator-container
ose-prometheus-adapter-container
ironic-rhcos-downloader-container
openshift-state-metrics-container
ose-baremetal-installer-container
ose-cluster-update-keys-container
ose-installer-artifacts-container
ose-kubevirt-csi-driver-container
ose-openshift-apiserver-container
ose-service-ca-operator-container
cluster-network-operator-container
cluster-version-operator-container
openshift-enterprise-cli-container
openshift-enterprise-pod-container
ose-baremetal-runtimecfg-container
ose-cluster-dns-operator-container
ose-csi-external-resizer-container
ose-machine-api-operator-container
ose-multus-networkpolicy-container
csi-node-driver-registrar-container
ose-azure-disk-csi-driver-container
ose-azure-file-csi-driver-container
ose-cluster-capi-operator-container
ovn-kubernetes-microshift-container
csi-driver-manila-operator-container
ibm-vpc-node-label-updater-container
openshift-enterprise-tests-container
operator-lifecycle-manager-container
ose-network-metrics-daemon-container
prometheus-config-reloader-container
cluster-monitoring-operator-container
ose-apiserver-network-proxy-container
ose-cluster-config-operator-container
ose-csi-snapshot-controller-container
ose-machine-config-operator-container
baremetal-machine-controller-container
cluster-node-tuning-operator-container
openshift-enterprise-console-container
ose-alibaba-cloud-csi-driver-container
ose-aws-pod-identity-webhook-container
ose-azure-cloud-node-manager-container
ose-cluster-ingress-operator-container
ose-cluster-machine-approver-container
ose-cluster-storage-operator-container
ose-csi-external-snapshotter-container
ose-ibm-vpc-block-csi-driver-container
ose-machine-api-provider-aws-container
ose-machine-api-provider-gcp-container
ose-powervs-block-csi-driver-container
ose-route-controller-manager-container
ose-vsphere-problem-detector-container
openshift-enterprise-deployer-container
openshift-enterprise-registry-container
ose-cloud-credential-operator-container
ose-cluster-policy-controller-container
ose-ovirt-machine-controllers-container
ose-vmware-vsphere-csi-driver-container
openshift-enterprise-hyperkube-container
ose-agent-installer-api-server-container
ose-agent-installer-node-agent-container
ose-cluster-baremetal-operator-container
ose-cluster-ovirt-csi-operator-container
ose-csi-driver-shared-resource-container
ose-gcp-pd-csi-driver-operator-container
ose-machine-api-provider-azure-container
ose-network-interface-bond-cni-container
ose-alibaba-machine-controllers-container
ose-aws-cluster-api-controllers-container
ose-aws-ebs-csi-driver-operator-container
ose-cluster-autoscaler-operator-container
ose-containernetworking-plugins-container
ose-gcp-cluster-api-controllers-container
ose-libvirt-machine-controllers-container
ose-multus-admission-controller-container
ose-nutanix-machine-controllers-container
ose-openstack-cinder-csi-driver-container
ose-powervs-machine-controllers-container
ose-agent-installer-csr-approver-container
ose-agent-installer-orchestrator-container
ose-aws-cloud-controller-manager-container
ose-gcp-cloud-controller-manager-container
ose-ibm-cloud-controller-manager-container
ose-ibmcloud-machine-controllers-container
ose-openshift-controller-manager-container
ose-azure-cluster-api-controllers-container
ose-kube-storage-version-migrator-container
ose-azure-cloud-controller-manager-container
ose-azure-disk-csi-driver-operator-container
ose-azure-file-csi-driver-operator-container
ose-image-customization-controller-container
ose-machine-api-provider-openstack-container
openshift-enterprise-haproxy-router-container
ose-cloud-network-config-controller-container
ose-cluster-authentication-operator-container
ose-cluster-image-registry-operator-container
ose-cluster-kube-apiserver-operator-container
ose-cluster-kube-scheduler-operator-container
ose-csi-snapshot-validation-webhook-container
ose-vsphere-cluster-api-controllers-container
ose-alibaba-cloud-controller-manager-container
ose-alibaba-disk-csi-driver-operator-container
ose-ibmcloud-cluster-api-controllers-container
ose-nutanix-cloud-controller-manager-container
ose-powervs-cloud-controller-manager-container
ose-vsphere-cloud-controller-manager-container
openshift-enterprise-console-operator-container
ose-cluster-kube-cluster-api-operator-container
ose-ibm-vpc-block-csi-driver-operator-container
ose-kubevirt-cloud-controller-manager-container
ose-powervs-block-csi-driver-operator-container
prometheus-operator-admission-webhook-container
ose-cluster-platform-operators-manager-container
ose-csi-driver-shared-resource-webhook-container
ose-openstack-cloud-controller-manager-container
ose-vmware-vsphere-csi-driver-operator-container
ose-csi-driver-shared-resource-operator-container
ose-cluster-openshift-apiserver-operator-container
ose-openstack-cinder-csi-driver-operator-container
openshift-enterprise-keepalived-ipfailover-container
ose-cluster-csi-snapshot-controller-operator-container
ose-cluster-kube-controller-manager-operator-container
ose-cluster-cloud-controller-manager-operator-container
ose-cluster-control-plane-machine-set-operator-container
ose-cluster-openshift-controller-manager-operator-container
ose-cluster-kube-storage-version-migrator-operator-container

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2022-4145
created 4 months, 3 weeks ago
Content spoofing

A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.

Affected products

openshift

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2022-3248
created 4 months, 3 weeks ago
Openshift api admission checks does not enforce "custom-host" permissions

A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.

Affected products

openshift
kubernetes
atomic-openshift
openshift-clients
rhacm2/agent-service-rhel8

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

pkgs.kubernetes

Production-Grade Container Scheduling and Management

  • nixos-unstable -

pkgs.kubernetes-kcp

Kubernetes-like control planes for form-factors and use-cases beyond Kubernetes and container workloads

  • nixos-unstable -

pkgs.kubernetes-polaris

Validate and remediate Kubernetes resources to ensure configuration best practices are followed

  • nixos-unstable -

pkgs.kubernetes-validate

Module to validate Kubernetes resource definitions against the declared Kubernetes schemas

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-3089
created 4 months, 3 weeks ago
Ocp & fips mode

A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

Affected products

openshift
  • ==4.12.0
(as-yet-unknown)
openshift-ansible
openshift-golang-builder-container

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-1260
created 4 months, 3 weeks ago
Kube-apiserver: privesc

An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralcontainers" subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod.

Affected products

openshift
  • *
microshift
  • *
openshift4/ose-pod
openshift4/ose-tests
openshift4/ose-openshift-apiserver-rhel7
github.com/openshift/apiserver-library-go
  • *

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-1342
created 4 months, 3 weeks ago
Openshift: existing cross-site request forgery protection insufficient for websocket creation

A flaw was found in OpenShift. The existing Cross-Site Request Forgery (CSRF) protections in place do not properly protect GET requests, allowing for the creation of WebSockets via CSRF.

Affected products

openshift

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers