Redhat: Security Vulnerabilities
The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted.
CVSS Score
8.8
EPSS Score
0.013
Published
2014-04-30
The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.
CVSS Score
2.1
EPSS Score
0.0
Published
2014-04-27
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to a passthrough trigger.
CVSS Score
7.5
EPSS Score
0.004
Published
2014-04-24
JBoss Overlord Run Time Governance (RTGov) 1.0 for JBossAS allows remote authenticated users to execute arbitrary Java code via an MVFLEX Expression Language (MVEL) expression. NOTE: some of these details are obtained from third party information.
CVSS Score
6.5
EPSS Score
0.005
Published
2014-04-22
Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.
CVSS Score
4.9
EPSS Score
0.006
Published
2014-04-18
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.
CVSS Score
6.4
EPSS Score
0.002
Published
2014-04-17
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
CVSS Score
2.1
EPSS Score
0.001
Published
2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
CVSS Score
6.5
EPSS Score
0.686
Published
2014-04-17
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options.
CVSS Score
2.6
EPSS Score
0.01
Published
2014-04-16
Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated.
CVSS Score
2.8
EPSS Score
0.008
Published
2014-04-16