CVE-2016-7075 — Improper Certificate Validation in RED HAT Openshift

CWE-295 — Improper Certificate Validation7 documents7 sources

Severity

8.1HIGHNVD

CNA7.5

EPSS

0.3%

top 49.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes RED HAT Openshift Redhat Openshift

Timeline

PublishedSep 10

Latest updateMay 13

Description

It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶Debiankubernetes/kubernetes< 1.5.5+dfsg-1+3

▶NVDredhat/openshift3.1, 3.2, 3.3+2

▶CVEListV5red_hat/openshiftn/a

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-7w66-j2r2-vm3p: It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X↗2022-05-13

▶

CVEList

CVE-2016-7075: It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X↗2018-09-10

▶

OSV

CVE-2016-7075: It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X↗2018-09-10

▶

📋Vendor Advisories

Red Hat

3: API server does not validate client-provided intermediate certificates correctly↗2016-10-10

▶

Debian

CVE-2016-7075: kubernetes - It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly...↗2016

▶

💬Community

Bugzilla

CVE-2016-7075 OpenShift 3: API server does not validate client-provided intermediate certificates correctly↗2016-10-12

▶