CVE-2021-3684

Published: Mar 24, 2023Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.

Affected (2)

Products: Redhat: Openshift Assisted Installer, Openshift Container Platform

2 products

Openshift Assisted Installer

Openshift Container Platform

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Redhat Openshift Assisted Installer	Before 1.0.25.3
Redhat Openshift Container Platform	Version 4.6

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 8.0

Related CWEs

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (6)

https://bugzilla.redhat.com/show_bug.cgi?id=1985962

Source: secalert@redhat.com

Issue TrackingPatchVendor Advisory

https://github.com/openshift/assisted-installer/commit/2403dad3795406f2c5d923af0894e07bc8b0bdc4

Source: secalert@redhat.com

Patch

https://github.com/openshift/assisted-installer/commit/f3800cfa3d64ce6dcd6f7b73f0578bb99bfdaf7a

Source: secalert@redhat.com

Patch

https://bugzilla.redhat.com/show_bug.cgi?id=1985962

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

https://github.com/openshift/assisted-installer/commit/2403dad3795406f2c5d923af0894e07bc8b0bdc4

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/openshift/assisted-installer/commit/f3800cfa3d64ce6dcd6f7b73f0578bb99bfdaf7a

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.