CVE-2017-7517

CWE-20 — Improper Input Validation5 documents5 sources

Severity

3.5LOW

EPSS

0.2%

top 59.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openshift

Timeline

PublishedOct 17

Description

An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift. If a user creates a project called "MyProject", and then later deletes it another user can then create a project called "MyProject" and access the metrics stored from the original "MyProject" instance.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5hawkular_metricsHawkular Metrics as shipped in Red Hat Openshift 3.x

▶NVDredhat/openshift3.0

🔴Vulnerability Details

GHSA

GHSA-946m-r2cc-x4j3: An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenSh↗2022-10-17

▶

CVEList

CVE-2017-7517: An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenSh↗2022-10-17

▶

📋Vendor Advisories

Red Hat

3: Metrics accessible from reused project name↗2017-04-25

▶

💬Community

Bugzilla

CVE-2017-7517 OSE 3: Metrics accessible from reused project name↗2017-07-13

▶