CVE-2019-14854

Published: Jan 7, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.

Affected (2)

Products: Redhat: Openshift Container Platform

1 product

Openshift Container Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Version 4.1
Redhat Openshift Container Platform	Version 4.2

Related CWEs

Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854

Source: secalert@redhat.com

ExploitIssue TrackingThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.