CVE-2019-10225

Published: Mar 19, 2021Modified: Nov 21, 2024

6.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Exploitability: 2.8 / Impact: 3.4

Source: NVD

Description

A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files.

Affected (3)

Products: Redhat: Openshift, Openshift Container Platform

2 products

Openshift Container Platform

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift	Version 4.2
Redhat Openshift Container Platform	Version 3.11
Redhat Openshift Container Platform	Version 4.0

Related CWEs

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=1743073

Source: secalert@redhat.com

Issue TrackingMitigationThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1743073

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingMitigationThird Party Advisory

Timeline

No history available yet.