Filtered by vendor Redhat
Subscriptions
Filtered by product Migration Toolkit Virtualization
Subscriptions
Total
30 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-29401 | 2 Gin-gonic, Redhat | 4 Gin, Migration Toolkit Virtualization, Openshift and 1 more | 2025-01-06 | 4.3 Medium |
| The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header. | ||||
| CVE-2024-8509 | 1 Redhat | 1 Migration Toolkit Virtualization | 2024-12-27 | 7.5 High |
| A vulnerability was found in Forklift Controller. There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information. | ||||
| CVE-2023-44487 | 32 Akka, Amazon, Apache and 29 more | 364 Http Server, Opensearch Data Prepper, Apisix and 361 more | 2024-12-20 | 7.5 High |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | ||||
| CVE-2024-21484 | 2 Jsrsasign Project, Redhat | 2 Jsrsasign, Migration Toolkit Virtualization | 2024-11-21 | 7.5 High |
| Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. | ||||
| CVE-2023-42282 | 2 Fedorindutny, Redhat | 6 Ip, Migration Toolkit Virtualization, Network Observ Optr and 3 more | 2024-11-21 | 9.8 Critical |
| The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. | ||||
| CVE-2023-3978 | 2 Golang, Redhat | 8 Networking, Cryostat, Enterprise Linux and 5 more | 2024-11-21 | 6.1 Medium |
| Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | ||||
| CVE-2023-26144 | 2 Graphql, Redhat | 3 Graphql, Advanced Cluster Security, Migration Toolkit Virtualization | 2024-11-21 | 5.3 Medium |
| Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process. | ||||
| CVE-2022-32190 | 2 Golang, Redhat | 10 Go, Ceph Storage, Container Native Virtualization and 7 more | 2024-11-21 | 7.5 High |
| JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. | ||||
| CVE-2021-41089 | 3 Fedoraproject, Mobyproject, Redhat | 3 Fedora, Moby, Migration Toolkit Virtualization | 2024-11-21 | 2.8 Low |
| Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted. | ||||
| CVE-2021-3749 | 4 Axios, Oracle, Redhat and 1 more | 9 Axios, Goldengate, Acm and 6 more | 2024-11-21 | 7.5 High |
| axios is vulnerable to Inefficient Regular Expression Complexity | ||||