← Back

CVE-2017-12195

nvd nist
Published: Jul 27, 2018Modified: Nov 21, 2024

JSON object

Loading...
4.8
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Exploitability: 2.2 / Impact: 2.5
Source: NVD

Description

A flaw was found in all Openshift Enterprise versions using the openshift elasticsearch plugin. An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices.

Affected (4)

Redhat
1 product
Openshift Container Platform
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Redhat
Openshift Container Platform
Version 3.4
Openshift Container Platform
Version 3.5
Openshift Container Platform
Version 3.6
Openshift Container Platform
Version 3.7

Related CWEs

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-295
Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

References (6)

Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Issue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingThird Party Advisory

Timeline

No history available yet.