Vulnerability Name:

CVE-2018-10937 (CCN-150518)

Assigned:2018-08-26
Published:2018-08-26
Updated:2019-10-09
Summary:A cross site scripting flaw exists in the tetonic-console component of Openshift Container Platform 3.11. An attacker with the ability to create pods can use this flaw to perform actions on the K8s API as the victim.
CVSS v3 Severity:5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2018-10937

Source: BID
Type: Third Party Advisory, VDB Entry
105190

Source: CCN
Type: BID-105190
Openshift Container Platform 'tetonic-console' Component Cross Site Scripting Vulnerability

Source: CCN
Type: Red Hat Bugzilla – Bug 1622372
CVE-2018-10937 tectonic-console: XSS Vulnerability in K8s API proxy

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10937

Source: XF
Type: UNKNOWN
openshift-cve201810937-xss(150518)

Source: CONFIRM
Type: Exploit, Third Party Advisory
https://github.com/openshift/console/commit/d56666852da6e7309a2e63a49f49a72ff66d309c

Source: CONFIRM
Type: Third Party Advisory
https://github.com/openshift/console/pull/461

Source: CCN
Type: OpenShift Web site
Search Results Web results OpenShift Container Platform - Red Hat OpenShift

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    redhat openshift container platform 3.11
    redhat openshift container platform 3.11