CVE-2017-15138 — Sensitive Information Exposure in Redhat Openshift Container Platform

CWE-200 — Sensitive Information Exposure CWE-285 — Improper Authorization5 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.2%

top 62.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openshift Container Platform

Timeline

PublishedAug 13

Latest updateMay 13

Description

The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages0 packages

Also affects: Openshift Container Platform 3.9

Patches

Patch: access.redhat.com ↗Patch: access.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-qrgj-q9rw-gjrv: The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook↗2022-05-13

▶

CVEList

CVE-2017-15138: The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook↗2018-08-13

▶

📋Vendor Advisories

Red Hat

atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project↗2018-04-11

▶

💬Community

Bugzilla

CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project↗2018-04-11

▶