CVE-2019-3895

Published: Jun 3, 2019Modified: Nov 21, 2024

8.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.1 / Impact: 5.9

Source: NVD

Description

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

Affected (2)

Products: Openstack: Octavia · Redhat: Openstack

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Openstack Octavia	Before 0.9.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Openstack	Version 12

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://access.redhat.com/errata/RHSA-2019:1683

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1742

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3895

Source: secalert@redhat.com

Issue TrackingMitigationThird Party Advisory

https://access.redhat.com/errata/RHSA-2019:1683

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1742

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3895

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingMitigationThird Party Advisory

Timeline

No history available yet.