| Vulnerability Name: | CVE-2019-3895 (CCN-162130) | ||||||||||||
| Assigned: | 2019-05-27 | ||||||||||||
| Published: | 2019-05-27 | ||||||||||||
| Updated: | 2021-08-04 | ||||||||||||
| Summary: | An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image. | ||||||||||||
| CVSS v3 Severity: | 8.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) 7.0 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-Other | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-3895 Source: REDHAT Type: Third Party Advisory RHSA-2019:1683 Source: REDHAT Type: Third Party Advisory RHSA-2019:1742 Source: CCN Type: Red Hat Bugzilla - Bug 1694608 (CVE-2019-3895) - CVE-2019-3895 openstack-tripleo-common: Allows running new amphorae based on arbitrary images Source: CONFIRM Type: Issue Tracking, Mitigation, Third Party Advisory https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3895 Source: XF Type: UNKNOWN redhat-cve20193895-sec-bypass(162130) Source: CCN Type: tripleo-common GIT Repository [CVE-2019-3895] Set image owner id | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2:  Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||