CVE-2019-10165

Published: Jul 30, 2019Modified: Nov 21, 2024

2.3

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Exploitability: 0.8 / Impact: 1.4

Source: NVD

Description

OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.

Affected (1)

Products: Redhat: Openshift Container Platform

1 product

Openshift Container Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Before 4.1.3

Related CWEs

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (6)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10165

Source: secalert@redhat.com

Issue TrackingPatchVendor Advisory

https://github.com/openshift/cluster-kube-apiserver-operator/pull/499/

Source: secalert@redhat.com

PatchThird Party Advisory

https://github.com/openshift/cluster-openshift-apiserver-operator/pull/205

Source: secalert@redhat.com

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10165

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

https://github.com/openshift/cluster-kube-apiserver-operator/pull/499/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/openshift/cluster-openshift-apiserver-operator/pull/205

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.